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The new Triton TwinBlade Server is the most technologically advanced blade server system in the industry, 
and the ideal solution for power-efficiency, density, and ease of management. 


The Triton TwinBlade Server supports 
up to 120 DP servers with 240 Intel® 
Xeon® 5600/5500 series processors 
per 42U rack, achieving an unmatched 
0.35U per DP node. Up to two 4x QDR 
(40 Gbps) Infiniband switches, 1OGbE 
switches or pass-through modules give 
the TwinBlade the bandwidth to support 
the most demanding applications. 


With N+1 redundant, high efficiency 
(94%) 2500W power supplies, the 
TwinBlade is the Greenest, most energy- 
efficient blade server in the industry. The 


energy saved by the ixX-Triton TwinBlade 
Server will keep the environment cleaner 
and greener, while leaving the green in 
your bank account. 


Server management is also simple 
with the Triton Twin Blade Server. 
Remote access is available through SOL 
(Serial Over Lan), KVM, and KVM over 

IP technologies. A separate controller 
processor allows all of the Triton’s remote 
management and monitoring to function 
regardless of system failures, offering true 
Lights Out Management. 


Using the Triton’s management system, 
administrators can remotely control 
TwinBlades, power supplies, cooling 
fans, and networking switches. Users 
may control the power remotely to 
reboot and reset the Triton TwinBlade 
Center and individual Twin Blades, and 
may also monitor temperatures, power 
status, fan speeds, and voltage. 


For more information on the iX-Triton 
TwinBlade, or to request a quote, visit: 


http://www.iXsystems.com/tritontwinblade 


20 Server Compute Nodes in 7U of Rack Space 


The iX-TB4X2 chassis holds 10 TwinBlade servers and each 
TwinBlade supports two nodes. This gives the iX-TB4X2 chassis the 
ability to house 20 nodes in 7U of rack space. The powerful Triton 
TwinBlade achieves 0.35U per dual-processor node, and is twice as 
dense as the previous generation of dual-processor blades. 


A fully-loaded iX-Triton TwinBlade supports 40 Intel® Xeon® 
5600/5500 series processors and up to 2.5 TB DDR 
1333/1066/800MHz ECC Registered DIMM memory. In a 42U rack 
this translates into 120 nodes with 240 Intel® Xeon® 

5600/5500 series processors and 15 TB DDR 1333/1066/800MHz 
ECC Registered DIMM memory. 


» By replacing 1U servers with TwinBlade servers, the power 
savings of the iX-TB4X2 can reach more than $1000* per 
year, per server with reduced cooling costs added in. 


» Replacing 1U rackmount servers with an iX-TB4X2 Twin 
Blade can reduce carbon dioxide emissions by over 5.5 
metric tons.** 


> The iX-Triton TwinBlade delivers the most energy-efficient 
blade server in the industry with four N+1 redundant, high 
efficiency (94%) 2500W power supplies. 


* Electricity costs vary by location. 


** According to Energy Information Agency (a statistical agency of the U.S. Department of Energy), 
saving one kilowatt hour of electricity reduces carbon dioxide emissions by 1.43 pounds. 


Call iXsystems toll free or visit our website today! 
+1-800-820-BSDi | www.iXsystems.com 


Intel, the Intel lage, and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the US. and other countries, 


Key features: 


Up to 10 dual-node TwinBlades in a 7U 
Chassis, 6 Chassis per 42U rack 
Remotely manage and monitor 
TwinBlades, power supplies, cooling fans, 
and networking switches 

Hardware Health Monitor 

Virtual Media Over Lan (Virtual USB, 
Floppy/CD, and Drive Redirection) 
Integrated IPMI 2.0 w/ remote KVM over 
LAN/IP 

Remote Power Control 

Supports one hot-plug management 
module providing remote KVM and IPMI 
2.0 functionalities 

Up to four N+1 redundant, hot-swap 
2500W power supplies 

Up to 16 cooling fans 


Each of the TwinBlade’s 
two nodes features: 


Intel” Xeon® processor 5600/5500 series, 
with OPI up to 6.4 GT/s 


Intel® 5500 Chipset 


Up to 128GB DDR3 1333/ 1066/ 800MHz 
ECC Registered DIMM / 32GB Unbuffered 
DIMM 


Intel® 82576 Dual-Port Gigabit Ethernet 
2 x 2.5" Hot-Plug SATA Drive Trays 
Integrated Matrox G200eW Graphics 


Mellanox ConnectX ODR InfiniBand 
40Gbps or 10GbE support (Optional) 


Powertul. 
Intelligent. | 
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Dear Readers! = 
Get make yourself comfortable and open this issue. 
October has welcomed us with the cold weather and ere eee 
nothing reminds us about summer, olga.kartseva@ software.com.pl 
You will find inside some advice about Building Contributing: 
: ; Rob Somerville, Daniele Mazzocchio, Rashid N. Achilov, Joseba 
VPNs written by Daniele. Joshua as alwaysshares eer ene ear ere 
with.us his thought in Let’s Talk. Lukas Holt, Caryn Holt, Laura Michaels 
Rob introuces the first part of his article, to teach ene eiihanket: 
you howto perform a bare metal installation of GSU ded A eh ale eRe eh Mel Usa ALA Lat 
FreeBSD withnetworking enabled. Art Director: 
lreneusz Pogroszewski 
Hope you find the articles interesting and useful. DTP: 


lreneusz Pogroszewski 


We want to remind you about answering short 
questionnaires concerning our magazine. 
. . ; , Senior Consultant/Publisher: 
This will certainly help us to improve our Pawet Marciniak pawel@software.com.pl 
magazine! 


National Sales Manager: 
Ewa tozowicka 
ewa.lozowicka@software.com.pl 


Thank you and enjoy your reading! 


| Marketing Director: 
Thank you: Ewa tozowicka 
ewa.lozowicka@software.com.pl 
Olga Kartseva Executive Ad Consultant: 
; ; . Karolina Lesinska 
Editor in Chief karolina.lesinska@bsdmag.org 


olga.kartseva@software.com.pl 
Advertising Sales: 


Olga Kartseva 
olga.kartseva@ software.com.pl 


Publisher : 

Software Press Sp. z 0.0. SK 
ul. Bokserska 1, 02-682 Warszawa 
Poland 
worldwide publishing 
tel: 1917 338 36 31 
www.bsdmag.org 


Software Press Sp z 0.0. SK is looking for partners from all over 
the world. If you are interested in cooperation with us, please 
contact us via e-mail: editors@bsdmag.org 


All trade marks presented in the magazine were used only for 
informative purposes. All rights to trade marks presented in the 
magazine are reserved by the companies which own them. 


The editors use automatic DTP system AUWRPUS 


Mathematical formulas created by Design Science MathType™. 
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Commissioning FreeBSD with the Drupal 
Content Management Framework - Part 1 
ROB SOMMERVILLE 
With nearly 6000 modules and PHP support Drupal offers a 
sophisticated web development platform as well as a thriving 
community. 

Drupal, originally conceived by Dries Buytaert, has a reputation 
of being an extremely capable DContent Management System 
(CMS) albeit with a steep learning curve. While many criticisms 
concerning the complexity of the interface will be addressed in 
the forthcoming Drupal 7 release (which is currently in the alpha 
stage), Drupal 6 excels in stability, flexibility and high quality 
code. The developers also subscribe to a transparent policy 
towards security issues, and have a dedicated security team 
which ensures that core modules remain high quality. Used as 
the basis of many high profile sites. 


HOW TO’S 


12 Building VPNs on OpenBSD 

Daniele Mazzocchio 
AVPN is a network made up of multiple private networks situated 
at different locations, linked together using secure tunnels over a 
public (insecure) network, typically the Internet. 

VPNs are becoming increasingly popular, as they allow 
companies to join the LANs of their branches or subsidiaries into 
a single private network (site-to-site VPNs) or to provide mobile 
employees, such as sales people, access to their corporate 
network from outside the premises (remote-access VPNs), 
thus making accessing and sharing internal information much 
easier. 
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Closed-source and unsupported drivers 

with FreeBSD 

Anton Borisov 
Sooner or later you come to a conclusion that you need to 
have an enhanced mobility throughout your home place. And 
you decide to purchase an Wi-Fi card and put it into a home 
gate-keeper. Do you know about troubles that could bring this 
simple transaction like WiFi network card purchase?Some might 
ask — is it necessary to buy a WiFi-card instead of a simple 
AccessPoint (AP)? At first glance you can figure out that there 
exist the fine models of ADSL-modems with wireless capabilities 
and that could work as AP. However, it should be noticed that: 
a) not all home connections to an Internet-provider go through a 
,copper’ like phone- or cable-line; b) you simply need to add a 
WiFi-capability to an already working gate; c) a WiFi-card itself 
costs several times cheaper of AP. 
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LETS TALK 


46 1.T. certifications and the value I got in it 


Joshua Ebarvia 
Joshua shares his experience with our readers, this time about 
certifications. 
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Commissioning FreeBSD 


with the Drupal Content Management Framework - Part 1 


With nearly 6000 modules and PHP support Drupal offers 
a sophisticated web development platform as well as 
a thriving community. 


What you will learn... What you should know... 
¢ How to patch, upgrade and install ports, initially configure Apa- +» How to perform a bare metal installation of FreeBSD with ne- 
che, PHP, MySQL and Drupal tworking enabled etc. 


rupal, originally conceived by Dries Buytaert, asteep learning curve. While many criticisms concerning 
has a reputation of being an extremely capable the complexity of the interface will be addressed in the 
Content Management System (CMS) albeit with forthcoming Drupal 7 release (which is currently in the 


Listing 1. Extract from rc.conf file 
hostname="drupal.merville.intranet" 


Listing 2. Extract from hosts file 


IZ 6e. Ua) <drupalimervai llc intranet: ‘drupal 


Listing 3. Patching FreeBSD to the latest revision 


Pkg add —2 pereaudin ponwupguade 


freebsd-update fetch 
freebsd-update install 


Soles belie = lelsi 

portsnap fetch 

POrrsiap exer acr 

pkodb-—E 

portupgrade -avbPR --batch 


Listing 4. PHP pre-compile set-up 


Gde/ Use) pores, lang, pies 
make config 
cd /usr/ports/lang/php5-extensions 


make config 


Listing 5. /nstalling the ports 


cd /usr/ports/databases/mysgql55-server 
make install BATCH=YES 

cd /usr/ports/www/apache22 

make install BATCH=YES 

Cd st ports, Vang, plies 

make install BATCH=YES 

cd /usr/ports/lang/php5-extensions 
make install BATCH=YES 


Listing 6. Ensure the PHP module is present in httpd.conf 


LoadModule php5 module libexec/apache22/libphp5.so 
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Options for php5 5.3.3 2 


Build CLI version 

Build CGI version 

Build FPM version (experimental) 
Build Apache module 
Use Apache 2.x filter interface (experimental) 
Enable debug 

Enable Suhosin protection system 

Enable zend multibyte support 

Enable ipv6 support 

Enable mail header patch 

Link thread lib (for threaded extensions) 


[X] c 


[ oK ] Cancel 


Figure 1. Ensure the Apache module is enabled 


alpha stage), Drupal 6 excels in stability, flexibility and 
high quality code. The developers also subscribe to 
a transparent policy towards security issues, and have 
a dedicated security team which ensures that core 
modules remain high quality. Used as the basis of many 
high profile sites (Table 2). 


Requirements 

Drupal requires Apache/MySQL/PHP and may _ be 
configured to run in a virtual host environment. In this 
Howto, we will install Drupal as a stand-alone server. 
This demo was prepared using Virtualbox 3.28 hosting 
FreeBSD 8.1 with 1GB RAM and 20GB storage. 


Stage 1 - Install FreeBSD 

Proceed with a bare metal install of FreeBSD 8.1, and 
configure user accounts, networking etc. so that the 
install can download ports from the FreeBSD website. 
To minimise server bloat, | performed a minimal install 
without the ports tree etc. which took only a few 
minutes. 


Options for php5-extensions 1.4 


Ce ECMATH be style precision math functions 
[ ] B: bzip2 library support 
ei) ALENDAR calendar conversion support 
EX) Cia is): ctype functions 
teal | URE CURL support 
[] D:. dba support 
[X] D.. DOM support 
[] &:): EXIF support 
(iet| (EEE INEO fileinfo support 
|? | HET BR input filter support 
|| | REBIDI FriBidi support 
[3] Fil: FTP support 

[] 6G: GD library support 

ea EP gettext library support 

ia) MP GNU MP support 

v(+) 


[ OK ] 


Cancel 


Figure 2. Enable PHP support as required 
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Listing 7. Setting up the php.ini file 


Go /usr/ locall/etc/ pnp. ina production /Usr,/ Vocal ee, 


Slayer ckigua 


Listing 8. drupal.conf 


# 
# Apache configuration file for Drupal6 
# 


DocumentRoot "/usr/local/www/drupal6/" 
<Directory "/usr/local/www/drupal6"> 
Options Indexes FollowSymLinks 
AllowOverride None 
Order allow, deny 
Allow from all 


</Directory> 
<I itodwle dir medule> 


DirectoryIndex index.php 
</IfModule> 


EeBorihog, vary log) drupal leg’ 


Listing 9. Drupal log file 


# Added for PHP support 


apolicavion/<-nvepd-ohe 
applicat lon) <-hewod—-plips 


Listing 10. Drupal log file 


touch 7 Var) log /Girtipale slog 


Listing 11. MySQL config file 


php 
phps 


cp /usr/local/share/mysgql/my-medium.cnf /var/db/mysql/ 


it Chae 


Listing 12. Securing the root MySQL password 


/usr/local/etc/rce.d/mysql-server onestart 


mysqladmin password 


Listing 13. Create user 


mysqladmin -u root -p create drupal6 
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Listing 14. Login to MySQL 


Mysqk —Ul ook, =. 


Listing 15. SQL to create Drupal database and user login 


GRANT SaLeCi, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, 
ALTER, LOCK TABLES, CREATE TEMPORARY TABLES ON 'drupal6'. 
oO dricealk @ localiosy (IDENT IE MSD Bye lors (ia ilis ay 


Listing 16. /nstalling Drupal and supporting modules 


cd /usr/ports/www/drupal6 

make install BATCH=YES 

cd /usr/ports/www/drupal6o-advanced help 
make install BATCH=YES 

Gd /ust,/ ports, www/drupalo—ceck 

make install BATCH=YES 

cd /usr/ports/www/drupal6-chaos 

make install BATCH=YES 

cd /usr/ports/www/drupal6-ckeditor 
make install BATCH=YES 

cd /usr/ports/www/drupal6-image 

make install BATCH=YES 

cd /usr/ports/www/drupal6-imce 

make install BATCH=YES 

cd /usr/ports/www/drupal6-menu_block 
make install BATCH=YES 

cd /usr/ports/www/drupal6-nodewords 
make install BATCH=YES 

cd /usr/ports/www/drupal6o-page title 
make install BATCH=YES 

cd /usr/ports/www/drupal6-panels 
make install BATCH=YES 

Cady Wst/ pores, ww diupalo=parin hedimeee 
make install BATCH=YES 

cd /usr/ports/www/drupal6-pathauto 
make install BATCH=YES 

cd /usr/ports/www/drupal6-print 

make install BATCH=YES 

Cay Wet, POrrs, wii, drUpalt=seo pelleckl is 
make install BATCH=YES 

cd /usr/ports/www/drupal6-views 

make install BATCH=YES 

cd /usr/ports/www/drupal6-webform 
make install BATCH=YES 

cd /usr/ports/www/drupal6-wysiwyg 
make install BATCH=YES 

cd /usr/ports/www/drupal6-zeropoint 


make install BATCH=YES 
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Listing 17. Copying the Drupal settings file across 


cd /usr/local/www/drupal6/sites/default 
Co detawiht, settings. ohp-cust 9) / Set iinqe. pip 


chown www:www settings.php 


Listing 18. Starting Apache 


/usr/local/etc/rce.d/apache22 onestart 


Stage 2 
— Post install configuration of FreeBSD, install 
the latest ports tree and AMP stack 
First of all, ensure that /etc/re.cont aNd /etc/hosts have 
a valid hostname and IP address respectively, otherwise 
Apache will not start. Replace with parameters that match 
your network (Listing 1/2). 

As we will require PHP library support for Apache, the 
AMP stack etc. will have to be installed from ports rather 


@&® Choose language | Gy... 


[| & i) 192.168.0117 


Choose language 
inetad Drupal in Englien 


© Choose language 
Verty requirements Leam how to inetall Grupal in other lanquages 

2eh Wp Garenase 

Install site 

Configury site 


Finished 


Figure 3. Drupal up and running ready for install 


@® Database configurati... « ie 


[=| ©) |G) Ver. 168.0.117 


/ 
@<« Drupal 


EA aloes Reine Database configuration 

wf Vertty requirements eee 

» Sot up database 
Install site 
Cenfigure ste 


Finished 


Advanced options 


Figure 4. Use the settings in Listing 13/14/15 
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{ installing Grupal | Gr... 


[3] =) [© s92.1680.117 | a 


raitaiiehan: 


Walking tor 103. 1680.117 


Figure 5. Drupal installing 


than packages. Best practice in a production environment 
is to ensure the server is patched to the latest revision, 
so we will install portauait (which checks for known 
vulnerabilities) and portupgrade Which upgrades the ports 
to the latest version. The binary freebsd-update applies 
security updates to the base system, while portsnap will 
pull the latest version of the ports tree onto our server. 
As a precaution, pxgab will be used to check pack age 
registry database prior to upgrade. 


f @ Configure site | Drupal « Ys 
& [ie wa. tennaa7 sail 


| Be you want Geegle Ohrome be save your padaword? 


Finished 


(Sunday, September 26, 2010" 21:10 40100 7 
By default, seeesd in ths he will Be shesleed im ine cresen time mere 
Clann URiLe: 
* Disabled 
oe 
ip) a mibedd. Crue i) eet “Saar? WL 


: oe, er LL 
Fis Eb GnaSE ed WC OS aco a SE ‘Thee har inch page on 
Oean URLS hae edcitiona Troublesheoting informacion. 


Update notifications: 


of Check Cogent acemaneaty 
“i or Shed, Cenguad wall res niishin. The w 
"high Pecormmet ene Hy Tei feguire’ pour we 
oneraa to drupal.org. For 
oman ments cation | iermaléen, 


Figure 6. Drupal login and email settings 
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a Drupal instaletion £0... 


a] [@ w2.s080007 | 4, 


D. ‘De yeu Want Gostle Onicene 9 save your pacsmord? i [Save passwor | | ever “tor rhis nine | x 


we drupal.merville.intranet 


Drupal installation complete 
Coengreatuistions, Orapal has Been sucoeestaihy inehaied, 


af Choose language 


af Wority requirements 
You may now wisit your nw ete, 
af Set up datanese 


wf Install site 


a Configure site 


of Finished 


Figure 7. /nstallation complete 


NOTE 

Running portsnap, pkgdb and portupgrade ON an existing 
FreeBSD installation should be done with caution as 
the ports tree will be updated and may have unforeseen 
implications — see the man pages and the FreeBSD 
website for further details and caveats etc. 

Depending on your bandwidth and_- server 
specification, the entire upgrade may take some time 
so if you prefer to perform the install without patching 
the box, the ports tree can either be installed from the 
FreeBSD DVD / ISO during Stage 1, or the commands 
portsnap fetch and portsnap extract Can be used to fetch 
and extract the latest tree which takes a few minutes 
(see Listing 3). 

Now that we have the ports tree installed and updated, 
we can proceed to install the AMP stack. Prior to the 
compilation of PHP, we need to ensure that the Apache 
module is enabled and any additional PHP extensions 
are installed as required, e.g. curl or bz2 (Listing 4 and 
Figure 1/2): 


Me drupal. merville, intranet 


y 
@e-~« = drupal.merville.intranet 


Administrator 
My account 
Oneate content. 
Adrminisher 
Log aut 


Welcome to your new Drupal website! 


ieee follow these steps bo eet up and start using pour wetsite: 


» Caniigure your website 
Ont bogieed in, WERE the Scmindstration accion, when you Can curstomire 6nd configure 
88 Sopects of pour wetete, 


. Enable additional functionality 


Next, visit the module list and enable features which suit your specific needs. You can 
fined additional modules in the Gerupal modules dormnioed section. 


. Cusbembire your website design 


To change the “bool and feel" of your website, visit the theres section. You may choos 
from. oneof the included themes or download acditional themes from the Grupal tiemes 
Cw nia gection, 


Figure 8. Site up 7 running 
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Listing 19. Add these settings to rc.conf 


# Added for Drupal support 


sendiial le enable— NONE 
apache? vemaoles iio. 
iysd vemable—9 VES: 


Using make config Can be repeated for MySQL and 
Apache as required, but for the Drupal install to proceed 
the only essential change is support for the Apache 
module (Figure 1). 

Now we need to download the ports and install (Listing 
5). Using the sarcu=vzs switch means we can leave 
the server to perform an unattended install with the 
default values if additional ports etc. are downloaded. 
If fine control of the installation is required, this may be 
omitted but further intervention will be needed during 
the installation of various libraries etc. to fine tune any 
settings. 


Stage 3 

- Configure Apache, PHP and MySQL 

Check that the following line is in DSO Support section 
of /usr/local/etc/apache22/httpd.conf (Listing 6). Copy the 
php.ini-production file to php.ini (Listing 7). 

Create an Apache configuration file for Drupal /usr/ 
local/etc/apache22/Includes/drupal.conf and add the 
following (Listing 8). Add PHP support to /usr/itocal/etc/ 
apache22/mime.types (Listing 9). Create the error log file 
for Drupal (Listing 10). Copy the skeleton my.cnf-medium 
file to /var/db/mysql/my.cnf (Listing 11): Start MySQL and 
secure the MySQL root password: (Listing 12). Create the 
MySQL database drupal6 (Listing 13). 


Table 1. Files modified during install 
/ust/etc/hosts 
/usr/etc/rc.conf 
/ust/local/etc/apache22/httpd.conf 
/ust/local/etc/apache22/mime.types 
/ust/local/etc/apache22/Includes/drupal.conf 
/ust/local/etc/php.ini 
/var/db/mysql/my.cnf 
/ust/local/www/drupal6/sites/default/settings.php 
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Table 2. Some high-profile Drupal websites 


Drupal Websites 


UK government national data = data.gov.uk 


The Economist economist.com 


The Mayor of London london.gov.uk 

MTV UK mtv.co.uk 

Sony Music musicbox.sonybmg.com 
The New York State Senate nysenate.gov 

The New Republic tnr.com 

Ubuntu Linux ubuntu.com 

The World Food Program wfp.org 


The US Whitehouse whitehouse.gov 


Set the privileges and drupal MySQL password to 
!1gHs7i-LL34 for database arupaie (Listing 14/15). 


Stage 4 
— Install and configure Drupal 
Install Drupal and supporting modules (Listing 16). Copy 
the Drupal settings file across (Listing 17). Start Apache 
(Listing 18). 
Install Drupal via web interface — point your browser at 
the IP address set in hosts in Listing 2 (Figure 3/4/5/6/7). 
Add settings to rc.conf so daemons start on reboot 
(Listing 19) 


Next article 

In Part 2, we will look at setting up templates, adding 
content and further configuring extending the site 
functionality. Now is a good time to secure / fine tune 
the configuration further and get to know the Drupal 6 
interface. 


ROB SOMERVILLE 

Rob Somerville has been passionately involved with technology 
both as an amateur and professional since childhood. A passio- 
nate convert to *BSD, he stubbornly refuses to shave off his be- 
ard under any circumstances. Fortunately, his wife understands 
him (she was working as a System/36 operator when they first 
met). The technological passions of their daughter and numero- 
us pets are still to be revealed. 
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Creative Data Solutions and Hosting 


Operating Systems are the worlds in the IT 
universe. Get yours: 
FreeBSD, NetBSD starting at € 25 
CentOS, OpenSuSE starting at € 25 
RHEL, SLES starting at € 42 
MacOS X Server starting at € 67 
Windows Server starting at € 42 
Replicate your databases in high 
class data centers. Got an idea? Make it live. 
Have an email archive run by In a genioDATA Server. 
genioDATA that leaves nothing 
more to wish for. 
Copy your files to several sites to 
plan for desaster recoverage. 


Need an ERP environment 
(enterprise ressource planning)? 
Have to operate a web(services) 
cluster with 99,999 % availability? 
Need an email environment where 
not one email gets lost? 


genioDATA engineers it. 
genioDATA runs it. 
You use it. 


C/LLO DATA 
info@sccon.de www.geniodata.com/bsdi.html +49(0)8092 862568 


HOW TO’S 


on OpenBSD 


Building VPNs 


A VPN is a network made up of multiple private networks 
situated at different locations, linked together using secure 
tunnels over a public (insecure) network, typically the 


Internet. 


What you will learn... 
¢« Agood knowledge of OpenBSD administration 


authenticated to provide security equivalent to that 

provided by leased lines, but at a fraction the cost. 
A tunnel is created by encapsulating a network protocol 
(e.g. IP) within another network protocol, operating at the 
same layer of the OSI model (e.g. IP, ICMP) or at a higher 
layer (e.g. ESP, TLS). 

VPNs are becoming increasingly popular, as they 
allow companies to join the LANs of their branches or 
subsidiaries into a single private network (site-to-site 
VPNs) or to provide mobile employees, such as sales 
people, access to their corporate network from outside the 
premises (remote-access VPNs), thus making accessing 
and sharing internal information much easier. 

Though most often associated with Ipsec (http:/ 
www.kernel-panic.it/openbsd/vpn/vpn2.html), VPNs are 
a rather broad concept and can be implemented using 
a number of different tunneling protocols (L2TP, MPLS, 
PPTP, TLS, among others). In particular, in this document, 
we will take a look at the three most popular VPN 
implementations supported by OpenBSD: 


Ty raffic inside VPN tunnels is usually encrypted and 


IPsec 

http://www.kernel-panic.it/openbsd/vpn/vpn2.html - a 
suite of standard protocols, defined in various RFCs 
(see Appendix), that operate at the network layer of the 
OSI model; OpenBSD (http:/www.openbsd.org/) natively 
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supports IPsec protocols and provides specific tools and 
daemons to manage IPsec VPNs; 


OpenVPN 

http:/www.openvpn.net/ — an SSL-based VPN solution, 
operating at the application layer and probably the 
strongest contender for IPsec, thanks to its robustness, 
ease of use and portability; 


OpenSSH 

http://www.openssh.org/ — since release 4.3, OpenSSH 
supports the tunneling of arbitrary network packets over 
a connection between an OpenSSH client and server, 
as a true VPN (see [OBSD39] http:/www.openbsd.com/ 
39.html). 

Besides the inherent differences in cryptographic 
algorithms and authentication mechanims, these three 
VPN implementations differ under several aspects; 
each one has its own advantages and drawbacks and 
the choice among them must consider not only the ease 
of installation and administration, but also factors like 
bandwidth, reliability and scalability. The following are the 
most relevant differences: 


e |Psec runs in kernel space, tightly integrated with the 


host TCP/IP stack, while OpenVPN and OpenSSH 
are user-space daemons. The in-kernel architecture 
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has the advantage of being faster and more efficient, 
but may increase the impact of possible vulnerabilities 
and programming errors on the whole system; 

¢ OpenVPN and OpenSSH have aé slightly higher 
overhead due to the encapsulation of the payload 
within higher layers of the OSI model; 

e IPsec works at the network layer of the OSI model, 
while both OpenVPN and OpenSSH can operate in 
either bridging mode (layer 2) or routing mode (layer 3) 
(please refer to [OVPN-FAQ] http:/~www.openvpn.net/ 
index.php/open-source/fag.html#bridge2 for a_ brief 
overview of bridging vs. routing); to tunnel ethernet traffic 
over IPsec, you need the additional layer of tunneling 
provided by the gifi4) (htto:/www.openbsd.org/cgi-bin/ 
man.cgi?query=git&sektion=4) interface; 

¢ IPsec interoperability comes from its being 
a standard, but different vendors' implementations 
may not be entirely compatible; the interoperability of 
OpenVPN and OpenSSH, instead, is ensured by their 
high portability across the most popular OSes. 


Despite the many differences, OpenVPN has some 
common ground with IPsec, since, as stated in [OVPN- 
SEC]  (http://www.openvpn.net/index. php/open-source/ 
faq.html#security-issues), OpenVPN's_ security model 
is heavily based on the IPSec ESP protocol for secure 
tunnel transport over UDP. 

This document assumes that you are familiar with 
OpenBSD, since it won't cover topics like base system 
configuration, packages/ports installation or Packet Filter 
syntax. 


Ipsec overview 

IPsec configuration on OpenBSD is a pretty easy and 
straightforward process, especially compared to most 
other implementations; nevertheless, IPsec is a rather 
complicated beast and a good working knowledge of its 
protocols and internals is essential to configure it and get it to 
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Figure 1. ESP and AH - transport mode 
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work properly. Therefore, before beginning the configuration, 
let's take a brief tour of the IPsec protocols and features. 

IPsec (IP security) is a suite of standard protocols 
designed to _ provide’ interoperable, high quality, 
cryptographically-based security [RFC4301]  (http:// 
tools.ietf.org/html/rfc4301) for protecting communications 
over IPv4 and IPv6 networks. The main security services 
offered by IPsec are: 


¢ Confidentiality — traffic is encrypted to ensure that 
only the legitimate receiver is able to access the data 
transmitted. 

¢ Connectionless integrity -— ensures’ that no 
modifications were made to the data while in transit 
across the network. 

¢ Data origin authentication — the receiver is able to verify 
that data actually originates from the claimed source. 

¢ Detection and rejection of replays — duplicate IP 
datagrams are detected and processed only once. 


These security services are provided at the IP layer 
(layer 3 of the OSI model), thus protecting all protocols 
that may be carried over IP, including IP itself. 


IPsec protocols 
Most of IPsec security services are provided using two 
traffic security protocols: 


¢ AH (Authentication Header) — defined in [RFC4302] 
(http://tools.ietf.org/html/rfc4302), AH is used 
to provide connectionless integrity, data _ origin 
authentication and optional (at the discretion of the 
receiver) anti-replay protection for IP datagrams. 

¢ ESP (Encapsulating Security Payload) — defined in 
[RFC4303] (http://tools.ietf.org/html/rfc4302), ESP 
offers the same set of services as AH (data origin 
authentication, connectionless integrity and anti- 
replay), plus confidentiality. 
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Figure 2. Basic network topology of the VPN 
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ESP is by far the most popular of the two protocols, since 
it provides confidentiality by encrypting network traffic, 
thus protecting transmitted data from passive attacks. 
On the other hand, AH provides stronger authentication 
than ESP as it protects part of the outer IP header as 
well as the next level protocol data, while ESP only 
protects the inner (encapsulated) IP header; however, 
this feature, in addition to not being of great use in most 
cases, also violates the modularization of the protocol 
stack (see [SCHNEIER]  Attp:/,www.schneier.com/ 
paper-ipsec.pdf, where the AH protocol is proposed for 
complete elimination). 

AH and ESP may also be applied in combination with 
each other to exploit the strengths of both protocols but, in 
most real-world scenarios, ESP alone is enough. 

Both ESP and AH support two modes of operation: 


¢ transport mode — |Psec protects only the payload of 
the IP packet (usually the transport layer data, hence 
its name), leaving the IP header, and thus routing, 
unchanged; transport mode can be used only for 
host-to-host communication; (See Figure 1) 

¢ tunnel mode — the entire IP packet is encrypted and/ 
or authenticated and then encapsulated into a new 
IP packet; tunnel mode is typically used to connect 
either two remote networks or a host and a network; 
it is more flexible than transport mode, but imposes 
more bandwidth overhead; (see Figure 2) 


The flexibility of tunnel mode allows it to fully supersede 
the functionality of transport mode, at the reasonable 
expense of a slightly higher bandwidth overhead. As 
a consequence, transport mode is rarely used in real- 
world VPNs and, just like AH, [SCHNEIER] (http:/ 
www.schneier.com/paper-ipsec.pdf) suggests _ that 
transport mode be eliminated altogether, with the 
advantage of significantly reducing IPsec complexity. 

In a nutshell, while ESP and tunnel mode are by far 
the most prevalent choice, AH and transport mode can 
be considered the black sheeps of the IPsec protocol 
family! 
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Figure 3. FSP and AH - tunnel mode 
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SA, SPI, SPD and other acronyms 

To actually establish the VPN, the IPsec protocols 
require that some state data be shared between the 
VPN endpoints, such as the cryptographic algorithms 
for encryption and authentication, the keys used as input 
to the cryptographic algorithms, the current sequence 
number, the antireplay window and so on. 

These data are held in a data structure called a Security 
Association (SA); SAs are created by a specific protocol, 
IKEv2 (defined in [RFC4306] http://tools.ietf.org/html/ 
1fc4306), which also has the responsibility of mutually 
authenticating the two communicating parties, setting up 
the encrypted channel for secure information exchange 
(these steps are part of the so-called IKE phase 1) and 
negotiating the shared secret from which cryptographic 
keys are derived (/KE phase 2). 

A Security Association applies to a single protocol (AH 
or ESP) and to a single direction of traffic flow; therefore, 
to secure typical, bi-directional communication between 
two IPsec-enabled systems, a pair of SAs (one in each 
direction) is required. IKE explicitly creates SA pairs in 
recognition of this common usage requirement [RFC4301] 
(http://tools. ietf.org/html/rfc4301#section-4. 1). 

SAs are collected in a Security Association Database 
(SAD), where they are uniquely identified by the 
combination of protocol (AH or ESP), destination address 
and an arbitrary 32-bit value called the Security Parameter 
Index (SPI). The SPI has the specific task of helping the 
receiver to identify the SA under which an incoming 
packet should be processed. 

But how does |Psec decide which datagrams to send 
through the VPN and which not? For instance, in a typical 
site-to-site VPN scenario, the IPsec gateway will usually 
tunnel and/or protect only traffic between the remote 


Listing 1. Adding the variables to the /etc/sysctl.conf 


fete) syscul cont 

fe eeecre ne 

net.inet.esp.enable=1 # Enable the ESP IPsec 
PEOrocol 

net.inet.ah.enable=1 # Enable the AH IPsec 

PrOorocet 

# Enable IP forwarding for 


Sele git TEOmte se) BO 


net.inet.ip.forwarding=1 

the host. 

# forward only IPsec 

Siam 
net.inet.ipcomp.enable=1 


# Optional: compress IP 


datagrams 
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LANs, leaving all other traffic unaffected. Well, IPsec 
makes such decisions based on policies, i.e. user-defined 
rules stating which packets should be protected using 
IPsec security services, which should be allowed to 
bypass IPsec protection and which should be discarded. 
IPsec policies are applied based on some specific fields 
in the datagram headers, called selectors, which include: 
source and destination addresses, Next Layer Protocol, 
source and destination ports (if used by the next layer 
protocol). 

As with Security Associations, IPsec policies are held in 
a database, called the Security Policy Database (SPD), 
which must be consulted during the processing of all traffic 
(inbound and outbound), including traffic not protected by 
IPsec, that traverses the IPsec boundary. 


The life of an IPsec packet 

To recap, let's have a look at what the (brief) life of an 
IPsec packet looks like; we will consider the most common 
case: an ESP tunnel-mode VPN between two remote 
networks (see picture above). The story begins when the 
first gateway (GW1) receives an outbound packet from 
a host (Host1) within its internal network and destined for 
a host (Host2) on the remote network: 


¢ the gateway first compares the datagram's selector 
fields against the SPD to find the first matching policy; 
¢ the policy may specify one of three possible 
processing choices: 
¢ DISCARD, the packet is not allowed to traverse 
the IPsec boundary and is dropped; 

¢ BYPASS, the packet is allowed to cross the IPsec 
boundary without IPsec protection and will be 
routed normally; 

¢ PROTECT, the packet must be afforded IPsec 
protection and the policy will point to zero or more 
SAs in the SAD; 

e in the present case, the gateway has a policy 
specifying that the datagram must be encapsulated 
with tunnel-mode ESP and sent to GW2; 

¢ if no SA exists for this policy, IKE will be invoked to 
negotiate the SAs with the appropriate peer; 

¢ the first matching SA(s) will be applied, providing the 
requested security services to the datagram; 

¢ the IP datagram will be encapsulated in ESP and 
the outer IP header will have the addresses of GW1 
and GW2 as source and destination addresses 
respectively; 


After a brief walk around the Internet, the encapsulated 
packet hits the second gateway (GW2): 
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the datagram is checked to see whether it contains 
an IPsec header; if not, the datagram is forwarded 
normally; 

using the destination address, the SPI and the type of 
IPsec header of the incoming datagram, the gateway 
determines which SA to use; if no matching SA is 
found, the packet is dropped; 

if antireplay is activated, the sequence number is 
checked for validity; 

the packet is decrypted and/or authenticated as 
specified by the SA; 

the gateway locates the SPD entry that applies to the 
datagram based on its selectors and verifies that the 
SA(s) applied in the previous steps match with SA(s) 
specified by the policy; 

the packet is decapsulated and forwarded to next hop 
or to the appropriate transport protocol. 


Listing 2. The first step in setting up the PKI is the creation of the root 
CA certificate and private key on the signing machine using openssl 


CA# openssl req -x509 -days 365 -newkey rsa:1024 \ 

> -keyout /etc/ssl/private/ca.key \ 

> Out. /Cee/ ssl /ca.crt 

Generating a 1024 bit RSA private key 

Oe OO thee 

ere ane Sear eae 

writing new private key to '/etc/ssl/private/ca.key' 

Enter PEM pass phrase: <passphrase> 

Verifying - Enter PEM pass phrase: <passphrase> 

You are about to be asked to enter information that 
will be incorporated 

into your certificate request. 

What you are about to enter is what is calleda 
Distinguished Name or a DN. 

There are quite a few fields but you can leave some 
bien 


For some fields there will be a default value, 


If you enter '.', the field will be left blank. 
Country Name (2 letter code) []: IT 

State or Province Name (full name) []: Italy 
Locality Name (eg, city) []: Milan 

Organization Name (eg, company) []: Kernel Panic Inc. 
Organizational Unit Name (eg, section) []: IPsec 


Common Name (eg, fully qualified host name) []: 
CAG kermel—=panvesit 
Email Address []: danix@kernel-panic.it 


CAF 
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Ipsec on OpenBSD 
Now that we have an adequate working knowledge of the 
IPsec architecture and protocols, we are finally ready to 
move from theory to practice and start having some fun 
with OpenBSD! OpenBSD ships by default with full IPsec 
support in the stock kernel and provides a set of user-space 
daemons and tools for managing IPsec configuration, 
dynamic key exchange and high availability; and the great 
thing is that, as you'll see, setting up an IPsec VPN on 
OpenBSD is an incredibly simple and fast task, especially 
compared to most other IPsec implementations out there. 

But before proceeding to edit configuration files and 
run system commands, let's take a brief look at the basic 
network topology of the VPN that we are going to set up 
in this document; it's a very simple site-to-site VPN, with 
a couple of multi-homed security gateways (VPN1 and 
VPN2) linking two remote private networks (172.16.0.0/ 
24 and 192.168.0.0/24) see Figure 3. 

In this chapter, we will set up the VPN using IPsec: to be 
more precise, we will configure it in tunnel mode (the only 


Listing 3. The creation of a Certificate Signing Request (CSR) on 
each of the IKE peers 


VPN1# openssl req -new -key /etc/isakmpd/private/ 
local.key \ 

> (-Oube etc idsaknpd/privgare, le2.3.4 csm 

You are about to be asked to enter information that 
will be incorporated 

into your certificate request. 

What you are about to enter is what is called a 
Distinguished Name or a DN. 

There are quite a few fields but you can leave some 
blank 

For some fields there will be a default value, 


Tf you enter '.', the field will be left blank. 


Country Name (2 letter code) []: IT 

State or Province Name (full name) []: Italy 

hocality Name (eq, city) [ihr Milam 

Organization Name (eg, company) []: Kernel Panic Inc. 
Organizational Unit Name (eg, section) []: IPsec 
Common Name (eg, fully qualified host name) []: 1.2.3.4 


Email Address []: danix@kernel-panic.it 
Please enter the following 'extra' attributes 
to be sent with your certificate request 

A challenge password []: <enter> 

An optional company name []: <enter> 


VPN1# 
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option for network-to-network VPNs) and use the ESP 
protocol in order to encrypt the VPN traffic as it traverses 
the Internet; we will also consider the case of redundant 
IPsec gateways with carp (4) (http:/www.openbsd.org/ 
cgi-bin/man.cgi?query=carp&sektion=4). Then, in the 
next chapters, we will see how the same VPN can be 
implemented using alternative solutions, in particular 
OpenVPN and OpenSSH. 


Preliminary steps 

Before proceeding to configure IPsec, we have to perform 
a few preliminary steps to make sure the systems are 
correctly set up for IPsec to work properly. The IPsec 
protocols are enabled or disabled in the OS's TCP/IP stack 
via tWO sysct1(3) (http: /www.openbsd.org/cgi-bin/man.cgi? 
query=sysctl&sektion=3) variables: net.inet.esp.enable and 
net.inet.ah.enable, both enabled by default; you can check 
this by running the sysctiis) (http:/Wwww.openbsd.org/cgi- 
bin/man.cgi?query=sysctl&sektion=8) command: 


# sysctl net.inet.esp.enable 
net.inet.esp.enable=1 
# sysctl net.inet.ah.enable 


net.inet.ah.enable=1 


Since our VPN gateways will have to perform traffic routing, 
we also need to enable IP forwarding, which is turned 
off by default. This is done, again, with syscti(s) (http:// 
www.openbsd.org/cgi-bin/man.cgi?query=sysctl&sektion= 
8), by setting the value of the net.inet.ip.forwarding variable 
to 1 if you want any kind of traffic to be forwarded or 2 if you 
want to restrict forwarding to only |Psec-processed traffic: 


# sysctl net.inet.ip.forwarding=1 


net.inet.ip.forwarding: 0 -> 1 


Optionally, you may also want to enable the IP Payload 
Compression Protocol (IPComp) to reduce the size of 
IP datagrams for higher VPN throughput; however, bear 
in mind that the reduction of bandwidth usage comes at 
the expense of a higher computational overhead (see 
[RFC3173] http://tools.ietf.org/html/rfc3173 for further 
details): 


# sysctl net.inet.ipcomp.enable=1 


net.inet.ipcomp.enable: 0 -> 1 


To make these settings permanent across reboots, add 
the following variables to the /etc/syscti.cont(5) (http:// 
www.openbsd.org/cgi-bin/man.cgi?query=sysctl.cont&s 
ektion=5) file: see Listing 1. 
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Finally, we need to bring up the (http.// 
www.openbsd.org/cgi-bin/man.cgi?query=encé&sektion=4) 
virtual network interface. This interface allows you to inspect 
outgoing IPsec traffic before it is encapsulated and incoming 
[Psec traffic after it is decapsulated; this is primarily useful for 
filtering IPsec traffic with PF and for debugging purposes. 


enc (4) 


# ifconfig encO up 


To make the system automatically bring up the enc(4) 
(http://www.openbsd.org/cgi-bin/man.cgi?query=enc&s 
ektion=4) interface at boot, create the /etc/nostname.encd 
(http://www. openbsd.org/cgi-bin/man.cgi?query=hostna 
me.if&sektion=5) configuration file: 


/etc/hostname.enc0 


up 


Setting up the PKI 

OpenBSD's IKE key management daemon, isaxkmpd(s) 
(http://www. openbsd.org/cgi-bin/man.cgi?query=isakmpd 
&apropos=0&sektion=8), relies on public key certificates 
for authentication and therefore requires that you first set 
up a Public Key Infrastructure (PKI) for managing digital 
certificates. 

The first step in setting up the PKI is the creation of the 
root CA certificate (/etc/ssi/ca.crt) and private key (/etc/ 
ssl/private/ca.key) On the signing machine (which doesn't 
have to be necessarily one of the VPN gateways) using 
openss1 (1) (Attp:/www.openbsd.org/cgi-bin/man.cgi?query 
=openssl&sektion=1); e.g.: see Listing 2. 

The next step is the creation of a Certificate Signing 
Request (CSR) on each of the IKE peers; for instance, the 
following command will generate the CSR (/etc/isakmpd/ 
private/1.2.3.4.csr) for the VPN1 machine (the IP address, 
in this case 1.2.3.4, is used as unique ID): see Listing 3. 

Next, the CSRs must be sent to the CA, which will 
generate the signed certificates out of the certificate 
requests. For instance, assuming the CSR file is in the 
current directory: see Listing 4. 

Finally, you need to copy the newly-generated 
certificates (the files ending in .crt) to the respective 
machines in the /etc/isakmpd/certs/ directory, as well as 
the CA certificate (/etc/ssl/ca.crt) in /etc/isakmpd/ca/. 


Configuration 

So we have conveniently set up the system for IPsec use 
and generated all the required certificates for IKE peer 
authentication; now we're finally ready to configure our 
VPN connection. On OpenBSD, all the configuration for 
IPsec takes place in a single file, /etc/ipsec.cont (5) (http:/ 
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www.openbsd.org/cgi-bin/man.cgi?query=ipsec.cont&s 
ektion=5), which uses a very compact syntax, similar to 
pf£.conf (5) (http:/www.openbsd.org/cgi-bin/man.cgi?query 
=pf.conf&sektion=5), to define almost every characteristic 
of the VPN; the basic format of the file is as follows: 


* comment lines begin with a hash character (4) and 
extend to the end of the line; 

e rules may span across multiple lines using the 
backslash character (\); 

¢ network addresses can be specified in CIDR notation, 
as symbolic host names, interface names, or interface 
group names; 

¢ to simplify the configuration file, macros can be used; 
macro names must start with a letter, may contain 
letters, numbers and underscores and must not be 
reserved words; 

¢ certain parameters (such as IP addresses) can be 
expressed as lists; lists are comma-separated and 
enclosed in curly braces. 


Listing 4. CSRs must be sent to the CA, assuming the CSR flle is in 
the current directory 


CA# env CERTIP=1.2.3.4 openssl x509 -req \ 

Daa Cays S65 ila Core Obes jeder | 

> -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key 
\ 

> -CAcreateserial -extfile /etc/ssl/x509v3.cnf - 
extensions x50 0vo er Add 

Signature ok 

subject=/C=IT/ST=Italy/L=Milan/O=Kernel Panic Inc./ 
OU=IPsec/CN=1.2.3.4/emailAddress=d 
anix@kernel-panic.it 

Getting CA Private Key 


Enter pass phrase for /etc/ssl/private/ca.key: 


<passphrase> 
CA# 
Listing 5. The syntax 
ike [mode] [encap] [tmode] [proto protocol] \ 
Erom ste [POre spores h(sremat) | tordst wiper: 
dport |) \ 


(local localip] [peer remote] \ 
[mode auth algorithm enc algorithm group group] \ 
[qumck-authalgorithmrence alqoriehm = qroup=group | \ 


fsrcidrcrrimg |) dstid ss ticime | .\ 


(psk string) [wad string 
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There are different types Of ipsec.cons(5)  (http:// 
www.openbsd.org/cgi-bin/man.cgi?query=ipsec.con 
f&sektion=5) rules, depending on whether you want 
IPsec flows and SAs to be set up automatically (using 
isakmpd(8) http://www. kernel-panic.it/cgi-bin/man.cgi? 
query=isakmpd&sektion=8) or manually; we will only 
consider the former case (which is usually what you 
want), so please refer to the documentation (http:// 
www.openbsd.org/cgi-bin/man.cgi?query=ipsec.cont&se 
ktion=5) for further details on manual setups. The syntax 
is as follows: see Listing 5. 

Though it may look rather complex at first, actual rules 
are usually very short and simple because most of the 
parameters can be omitted, in which case the default 
values are used. But let's examine the rule syntax in 
detail: 


¢ ike [mode] [encap] [tmode] — the ike keyword 
specifies that isakmpa(s) (http://www.kernel-panic. it/ 
cgi-bin/man.cgi?query=isakmpdé&sektion=8) must 
be used to automatically establish the Security 
Associations for this flow; mode can be either active 
(isakmpd(8) (http://www. kernel-panic.it/cgi-bin/man 
.cgi?query=isakmpd&sektion=8) will immediately 
start negotiation of this tunnel), passive (to wait for 
an incoming request from the remote peer to start 
negotiation) or dynamic (to be used for hosts with 
dynamic IP addresses) and defaults to active} encap 


Listing 6. The configuration files for the site-to-site VPN we’re 
setting up 


ete) ipsecscone 


# Macros 

ext if = eho. # 
External interface (1.2.3.4) 

localinere “= "liz elG.0 50/24" # 
Local private network 

remote gw = "5.6.7.8" # 


ReWOre UP sec Gateway 
remote nets = "{192.168.0.0/24, 192.168.1.0/24}" # 


Remote private networks 


# Set up the VPN between the gateway machines 

Phe Ves from ps. teil GO. remouc 1g 

# Between local gateway and remote networks 

ge (SSI) eee) SEie Ge ee SiceMee MISES eee SV iceimlo gS CN 
# Between the networks 


ike Cop trom ~'ocali ner vo [remove Mets Peet —remoue, om 
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specifies the encapsulation protocol and can be 
either esp (default) or an; tmode is the transport mode to 
USE, I.€. tunne1 (default) or transport. 

proto protocol — Restrict the flow to a specific IP 
protocol (e.g. TCP, UDP, ICMP); by default all 
protocols are allowed. 

from src [port Sport] [(srcnat)] to dst [port Aport] — 
Specify the source and destination addresses of 
the packets that this rule applies to; you may also 
specify source and/or destination ports, but only 
in conjunction with the TCP or UDP protocols. The 
srcnat parameter can be used to specify the actual 
source address in outgoing NAT/BINAT scenarios. 
local localip peer remote — Specify the local and 
remote endpoints of the VPN; the local endpoint is 
required only if the machine has multiple addresses; 
the remote endpoint can be omitted if it corresponds 
to the ast parameter. 

mode autn algorithm enc algorithm group group 
— Specify the mode (main Of aggressive) and 
cryptographic transforms to be used for IKE phase 1 
negotiation; please refer to the documentation (http:/ 
/www.openbsd.org/cgi-bin/man.cgi?query=ipsec.con 
f&sektion=5) for a complete list of the possible values 
and their defaults. 

quick auth algorithm enc algorithm group group 

Specify the cryptographic transforms to be used 
for IKE phase 2 negotiation; please refer to the 


Listing 7. The configuration files for the site-to-site VPN we’re 
setting up 


# Macros 

ext if = "rl0" # 
External interface (5.6.7.8) 

local mets) — "{1922163.020/24,, VO22¢3- 0/24)" Fe 
Local private networks 

remote gw = "1.2.3.4" # 
RemoEge IPSec Gateway 

remote net = "172.16.0.0/24" # 


jetc/ipsec.conf 


Remote private network 
# Set up the VPN between the gateway machines 
iKe=esp from [ext 1b bo ~remouc ow 
# Between local gateway and remote network 
LS JOSS SSS ej" Sexe Iie OC Heeiiieice Mele joSeic 
Sremote gw 
# Between the networks 


IMS SiS aso) Sloe Me cs ce) Siseiilees ae joseie Sissies en 
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documentation (htto:/www.openbsd.org/cgi-bin/man 
.cgi?query=ipsec.cont&sektion=5) for a complete list 
of the possible values and their defaults. 

* srcid String dstia String — Define the unique ID that 
isakmpd (8) (Atto://www.kernel-panic.it/cgi-bin/man.cgi? 
query=isakmpdé&sektion=8) will use as the identity of 
the local (srcia) and remote (astia) peer; if omitted, the 
IP address is used. 

¢ psk String — Use a pre-shared key for authentication 
instead of isakmpa sg) (Atto://www.kernel-panic.it/cgi-bin/ 
man.cgi?query=isakmpd&sektion=8). 

* tag String — Add a ps 4) (htto:/www.openbsd.org/ 
cgi-bin/man.cgi?query=pf&sektion=4) tag to IPsec 
packets matching this rule. 


So let's write the configuration files for the site-to-site 
VPN we're setting up; as you'll see, it's a really trivial 
task and a few rules will do. On the VPN1 host, the /etc/ 
(http://www.openbsd.org/cgi-bin/man.cgi? 
query=ipsec.conf&sektion=5) file will look like this: see 
Listing 6 and on VPN2: see Listing 7. 

Now we are ready to start the isaxkmpais) (http:/ 
www. kernel-panic.it/cgi-bin/man.cgi?query=isakmpd& 
sektion=8) daemon on both gateways; we will make it run 
in the foreground (-a option) in order to easily notice any 
errors: 


ipsec: cont (5) 


# isakmpd -K -d 


Then, again on both gateways, we can parse ipsec.con£ (5) 
(http://www. openbsd.org/cgi-bin/man.cgi?query=ipsec. 
conf&sektion=5) rules (-n option of ipsecctiis) Atto:// 
www.openbsd.org/cgi-bin/man.cgi?query=ipsecctlé& 
sektion=8) and, if no errors show up, load them: 


# ipsecctl -n -f /etc/ipsec.conf 


# ipsecctl -f /etc/ipsec.conf 


You can check that IPsec flows and SAs_ have 
been correctly set up by running ipseccti(s)  (Attp:// 
www.openbsd.org/cgi-bin/man.cgi?query=ipsecctl& 
sektion=8) with the -s aii option; for example: see Listing 8. 
Well, since everything seems to be working fine, we can 
configure the system to automatically start the VPN at boot 
by adding the following variables in /etc/rc.conf.1local (8) 
(http://www. openbsd.org/cgi-bin/man.cgi?query=rc.conf.| 
ocal&sektion=8) on both security gateways: 


/etc/re.conf.local 
isakmpd_flags="-K" # Avoid keynote(4) policy checking 


ipsec=YES # Load ipsec.conf(5) rules 


www.bsdmag.org 


Listing 8. You can check that IPsec flows and SAs have been 
correctly set up by running ipsecctl(8) 


VPN1# ipsecctl -s all 

FLOWS : 

flow €sp “in from 192.168:0.0/24 to 1.2.3.4 peer 5.6.7.8 
sre 2234732 -Gstid, BGs 35732 
tye Wise 

flow 4so out from 122.324 to 192 516820.0/24 peer 5.6.7.8 
Sredmous 2.3647 82 .dstige oc.) 5/32 
type require 

flow esp in from 192.168.1.0/24 to 1.2.3.4 peer 5.6.7.8 
erewe 12.3.4) 32 “dstidas 6a). 07) 32 
Oe. ise 

flow esp out. from 1.2.3.4 to 192.108.1.07 24 peer 5.6.7.8 
Sucidl he Zes 4) O2edstide oe eo, OZ 


type require 


esp tunnel from 5.6. /.8 co 1.273.4 soi 0x02] faZ3l auch 
hmac-sha2-256 enc aes 

esp tunmel from 12 223.4" 015.6. /26 som Uxilsebe203 auch 
hmac-sha2-256 enc aes 

esp tunmels from li 22524 bo 526.7 soso Ux25dassac auch 
hmac-sha2-256 enc aes 

esp eunmel from 526./.38 to 1.2.3.4 spi 0x39laas ob auch 


hmac-sha2-256 enc aes 


VPN1# 


Listing 9. The sample configuration file 


jetc/sasyned.cont 

# carp(4) interface to track state changes on 

interface carp0 

# Interface group to use to suppress carp (4) 
preemption during boot 

group eae 

# sasyncd(8) peer IP address or hostname. Multiple 
'peer' statements are allowed 

peer i Ze hocO a7 oS 

# Shared AES key used to encrypt messages between 
Sasyncd(e) hosts. Pe can be 

# generated with the openssl(1) command ‘openssl rand 
-hex 32' 

Sharedkey 0x115c413529ba5ac96b208d83a50473b3e6ade60e66 
c59a10a944ad3d273148dd 
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Packet filtering 

IPsec traffic can be filtered on the (http:// 
www.openbsd.org/cgi-bin/man.cgi?query=encé&sektion=4) 

interface, where it appears unencrypted before 
encapsualtion and after decapsulation. The following are 
the main points to keep in mind for filtering I|Psec traffic: 


enc (4) 


¢ IPsec protocols (http://www.kernel-panic.it/openbsd/ 
von/vpn2.html#vpn-2.1) (AH and/or ESP) must be 
explicitely allowed on the external interface; e.g.: 


# Allow ESP encapsulated IPsec traffic on the external 
interface 
pass in On Sext_if proto esp from Sremote gw to Sext if 


pass out on $ext if proto esp from Sext_if to Sremote gw 


° isakmpd(s) (http://www.kernel-panic.it/cgi-bin/man.cgi? 
query=isakmpdé&sektion=8) requires that UDP traffic 
on ports 500 (isakmp) and 4500 (ipsec-nat-t) be 
allowed on the external interface; e.g.: 


Listing 10. /nitalizing parameters in the vars file with your 
organization's data to avoid being prompted for the same 
information every time you create a new certificate 


/usr/local/share/examples/openvpn/easy-rsa/2.0/vars 


Sr qorencic, IVES. ING exiely 4 


export OPENSSL="openssl" 
Sxpore PhKCs EEIOOlM=" pest tock 
export Ghae— qrepo. 


export KEY CONFIG="SEASY RSA/openssl.cni" 
export KEY DIR="SEASY RSA/keys" 
echo NOTE: If you run ./clean-all, I will be doing a 
ian 1g26 Toll See IIIS. 


Sxporr PKC MODULES PAT dummy” 
expork EKCoIMi ei) dummy 


exeont my tolzn—h0z4 
exeort CATE Pine —3 G50 
Sxeobe Wy SEP FRE 000 


expe GE KE TCOUNIMY — ie 

SxOOrE KEV eEROV Nei ihre” 

exeOmr sey (Cihy— Mariam 

exeont WEY (ORG= "Kernel Pane ines) 
expout KEV aMATI— dantxthernelpantesit” 
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# Allow isakmpd(8) traffic on the external interface 


vas 


pass in on Sext_if proto udp from $remote gw to Sext_if \ 


port {isakmp, ipsec-nat-t 


ac: 


pass out on Sext_if proto udp from Sext_if to Sremote gw \ 


port {isakmp, ipsec-nat-t 


e if the VPN is in tunnel mode, |IP-in-IP traffic between 
the two gateways must be allowed on the enc (4) (Attp:// 
www.openbsd.org/cgi-bin/man.cgi?query=encé&sekti 
on=4) interface: e.g.: 


# Allow IP-in-IP traffic between the gateways on the enc (4) 


interface 
pass in on encO0 proto ipencap from Sremote gw to Sext if 
keep state \ 
(1 £-bound) 


pass out on enc0 proto ipencap from Sext if to $remote gw 
keep state \ 
(at =bound) 


¢ as stated before, |Psec traffic filtering is done on the 
enc (4) (Atto:/www.openbsd.org/cgi-bin/man.cgi?query= 
enc&sektion=4) interface, where it appears unencrypted. 
State on the (http:/Awww.openbsd.org/cgi-bin/ 
man.cgi?query=enc&sektion=4) interface should be 
interface bound (htto./Avww.openbsd.org/faq/pt/ 
options. htmi#state-policy); e.g.: 


enc (4) 


Listing 11. /nitalizing the PKI by building the Diffie-Hellman 
parameters and creating the root CA certificate and key 


# cd /usr/local/share/examples/openvpn/easy-rsa/2.0/ 

# . ./vars 

NOTE: when you run ./clean-all, I will be doing a rm 
-rf on /usr/local/share/example/ 
opevvpn/easy-rsa/2.0/keys 

# ./clean-all 

# ./build-dh 

Generating DH parameters, 1024 bit long safe prime, 
generator 2 

Ehis 2s going to take a long time 

eee 

me / ON ot elo) = hiaal ieee! 

Using CA Common Name: Kernel Panic Inc. CA 

Generating a 1024 bit RSA private key 


AR ae eS en ++++++ 
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# Filter unencrypted VPN traffic on the enc(4) interface 


pass in on encO from Sremote nets to Sint if:network keep 
state (if-bound) 

pass out on encO from Sint _if:network to $remote nets keep 

state (if-bound) 

Redundant VPNs with sasyncd(8) 

One of the most interesting features of OpenBSD's 

implementation of the IPsec protocol is the possibility 

to set up multiple VPN gateways in a redundant 

configuration, allowing for transparent failover of VPN 

connections without any loss of connectivity. 

Typically, in OpenBSD, redundancy at the network level is 
achieved through the carp 4) (http:/www.openbsd.org/cgl- 
bin/man.cgi?query=carp&sektion=4) protocol, which allows 
multiple hosts on the same local network to share a common 
IP address. Redundancy at the logical VPN layer, instead, is 
provided by the sasynca(s) (http: /www.openbsd.org/cgi-bin/ 
man.cgi?query=sasyncd&sektion=8) daemon, which allows 
the synchronization of IPsec SA and SPD information 


between multiple [Psec gateways. 


Listing 12. Creating the certificate and key for the VPN server 


# ./pkitool --server vpnl.kernel-panic.it 
Generating a 1024 bit RSA private key 
Sane rer ean ars se 


Using configuration from /usr/local/share/examples/ 
openvpn/easy-rsa/2.0/openssl.cnf 

Check that the request matches the signature 

Signature ok 

The Subject's Distinguished Name is as follows 

countryName SPR UN ABIRE it 


stateOrProvinceName > PRINTABLE: 'Italy' 


localityName > PRINTABLE: Malan’ 
organizationName {PRINTABLE: "Kernel. Pane Inc.” 
commonName : PRINTABLE: 'vpnl.kernel- 

jo cuduberainie 
emailAddress > [ASSTRING: 'danix@kernel- 


jecroume ine 
Certificate 1S to be certitied until Jun 2 06:41:51 


ZOE GMI S650 days) 


Write out database with 1 new entries 
Data Base Updated 
# 
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We have already covered the (http:// 
www.openbsd.org/cgi-bin/man.cgi?query=carp&sektion 
=4) protocol in a previous document (http://www. kernel- 
panic.it/openbsd/carp/index.html) about redundant 
firewalls, so we won't come back to this topic now; 
therefore, | assume that you already have a working 
carp(4) (http:/www.openbsd.org/cgi-bin/man.cgi?query= 
carp&sektion=4) setup and that you have modified your 
configuration accordingly (in particular the ipsec.conf (5) 
(http://www. openbsd.org/cgi-bin/man.cgi?query=ipsec.c 
onf&sektion=5) and pf.cont(5) (http:/www.openbsd.org/ 
cgi-bin/man.cgi?query=pf.conf&sektion=5) files). 

Please note that, as stated in the documentation 
(http://www. openbsd.org/cgi-bin/man.cgi?query=sasyn 
cd&sektion=8), for SAs with replay protection enabled, 
such as those created by isakmpa(s) (htto:/www.kernel- 
panic. it/cgi-bin/man.cgi?query=isakmpd&sektion=8), the 
sasyncd(8) (http:/www.openbsd.org/cgi-bin/man.cgi?quer 
y=sasyncd&sektion=8) hosts must have pfsync (4) (http:/ 
www.openbsd.org/cgi-bin/man.cgi?query=pfsync&sekt 
ion=4) enabled to synchronize the in-kernel SA replay 


carp (4) 


Listing 13. Using the pkitool utility to generate as many client 
certificates as we need 


# ./pkitool vpn2.kernel-panic.it 

Generating a 1024 bit RSA private key 

Sa aa ate See ae etaee a euaye s a es 

OP aie ween ele 

writing new private key to 'vpn2.kernel-panic.it.key' 

Using configuration from /usr/local/share/examples/ 
openvpn/easy-rsa/2.0/openssl.cnf 

Check that the reguest matches the signature 

Signature ok 

The Subject's Distinguished Name is as follows 

countryName PPRINTABLE = =i 


stateOrProvinceName PRINTABLE? italy’ 


localityName : PRINTABLE: 'Milan' 

organizationName : PRINTABLE: 'Kernel Panic Inc.' 

commonName : PRINTABLE: 'vpn2.kernel- 
Carine ain 

emailAddress : [ASSTRING: 'danix@kernel- 


jOrcequNe mules 
Certificate is to be certified until Jun 2 08:47:25 
2009 GME sGa0 days) 
Write out database with 1 new entries 
Data Base Updated 


# 
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counters (for a detailed discussion of the pésync 4) (Attp:// 
www.openbsd.org/cgi-bin/man.cgi?query=pfsync&sektio 
n=4) protocol, please refer to [CARP] htto:/~vww.kernel- 
panic. it/openbsd/carp/carp5.html). 

The sasynca(s)  (http://www.openbsd.org/cgi-bin/man. 
cgi?query=sasyncd&sektion=8) daemon is_ configured 
through the /etc/sasyncd.conf (5) (http:/www.openbsd.org/ 
cgi-bin/man.cgi?query=sasyncd.cont&sektion=5) file, 
which has a rather self-explanatory syntax; below 
is a sample configuration file: see Listing 9. Since 
sasyncd.conf (5) (http:/www.openbsd.org/cgi-bin/man.cgi? 


Listing 14. The sample configuration file 


/etc/openvpn/server.conf 

# Transport protocol to use. Available protocols are 
udp and tcp-server 

DrOLo udp 

i LCe/ UDP Omen tO sommd io 

pore 1194 

# Name of the tun(4) device to use 


dev tun0 


# Uncomment to enable the management interface on port 
1195. The password file 

# only contains the management password on a single 
line. 

#management 127.0.0.1 1195 /etc/openvpn/private/ 
mgmt .pwd 


# Path to the CA certificate 

ca /etc/openvpn/ca.crt 

# Path to the server's certificate file 

cert /etc/openvpn/vpnil.kernel-panic.it.crt 

# Path to the private key file 

key /etc/openvpn/private/vpnl.kernel-panic.it.key 

# Path to the file containing the Diffe-Hellman 
Walealietems 


dh /etc/openvpn/dh1024.pem 


# Address range for the tun(4) interfaces 

server: 10.001. 0 255.755.2555) 

# Uncomment to allow clients to dynamically change 
address (useful for 

# road-warriors) 


#iloat 


# Send periodic keepalive messages 


keepalive 10 120 


query=sasyncd.conf&sektion=5) contains the shared 
secret key used to encrypt data between the sasynca(s) 
(http:/www.openbsd.org/cgi-bin/man.cgi?query=sasyncd 
&Sektion=8) hosts, it should have restrictive permissions 
(600) and belong to the root Or isakmpa USEF: 


# chown root /etc/sasyncd.conf 


# chmod 600 /etc/sasyncd.conf 


Well, now we're ready to run the sasynca(s) (http:/ 
www.openbsd.org/cgi-bin/man.cgi?query=sasyncd& 


# Use 1z0o compression to reduce network utilization 


comp= 176 


# User the OpenVPN daemon should run as 

UseG OPenven 

# Group the OpenVPN daemon should run as 

group openvpn 

# Make the server daemonize after initialization 


daemon openvpn 


# Don't re-read key files upon receiving a SIGUSRI1 
Signal 

persist-key 

# Don't close and reopen the tun(4) device upon 
receiving a SIGUSR1 signal 


persist-tun 


# Add a route to the local network to the client's 
routing table 

PUShr cote li elo nO 2 Son Zoe zon! 

# Add routes to the remote networks to the server's 
routing table 

OU lA. NheO WU 0 2755.7 502 oo. 0 

1ge VUNG ey a WA INC vern IM Oe opel Zoi) oie 10) 

# Directory for client-specific configuration files 


client-config-dir /etc/openvpn/ccd 


# Uncomment to periodically write status information 
to the specified file 

#status /var/log/openvpn-status.log 

# Uncomment to raise verbosity level for debugging 


Even oe al ab 
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We are proud to announce that the bi-annual NYCBSDCon 2010 will be held at Manhattan's prestigious 


Cooper Union on November 12- 14, 2010. This year’s conference is sure to build on the successes of previous 
years featuring a great array of speakers and topics, with an exciting and diverse crowd representing all the BSD 


projects. The topics for talks include: 


¢ BSD Professional Certification Update: The Lab Exam — Jim Brown 

« Practical Security Event Auditing in FreeBSD —- Christian Brueffer 

¢ BSD Firewalling with pfSense — Chris Buechler 

¢ BSD: Choose Your Own Adventure — Jason Dixon 

e Managing Multiple Machines - FreeBSD, radmind and LDAP - Michael Graziano 

¢ Isilon and FreeBSD - Zachary Loafman 

¢ Escaping the Database Doldrums — James K. Lowden 

¢ BSD Needs Books — Michael Lucas 

¢ The Automated Testing Framework — Julio Merino 

¢ PC-SYSINSTALL: A new system installation backend for PC-BSD and FreeBSD — Kris Moore 

¢ Standing on the Shoulder’s of Giants: Key Players and Events in BSD History — Jeremy C. Reed 

¢ A Provider's Perspective on IPv6: Getting Beyond the User Experience — Massimiliano Stucchi 

* Managing 600 OpenBSD-Based Firewalls in Microsoft-centric Small and Medium Business 
Networks — Lawrence Teo 


Tickets: 

$95.00 for early registration ending November 1* 
$125 from November 2° to November 11" 

$150 to buy tickets at the door 


Students: 
Free for all Cooper Union students and staff - please ask local acm/ieee group for registration code 
$75.00 Full-time students - must show a current ID upon entry 


http://www.nycbsdcon.org 
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sektion=8) daemon on the redundant gateways; but 
first we need to restart isakmpa(s) (htto:/-www.kernel- 
panic.it/cgi-bin/man.cgi?query=isakmpd&sektion=8) 
with the -s option, which is mandatory on redundant 
setups (remember to add it alSo to isakmpa_ flags IN /etc/ 
rc.conf.local(s) Attp://www.openbsd.org/cgi-bin/man.cgi? 
query=rc.conf.local&sektion=8): 


# pkill isakmpd 
# isakmpd -S -K 


# sasyncd 


/etc/openvpn/client.conf 

# Act as a client 

client 

# IP address (or hostname) and port of the OpenVPN 
server. You may specify 

# multiple 'remote' options for redundancy. 


remote 127.3,4 1194 


# Transport protocol to use. Available protocols are 
udp and Eep-client 

proto udp 

# Name of the tun(4) device to use 


dev tun0 


# Uncomment if you connect through an HTTP proxy. The 
authfile must contain 

# user and password on 2 lines. The authentication 
type can be 'none', 'basic' 

for “moins: 

NEO fosov.cy joiser.ey eleleie joey.cy jyemme /eice /Cjoleiajoia/ 
jOenverce /-einicinile eliicin ‘coe 

# Make the server daemonize after initialization 

daemon openvpn 

# Send periodic keepalive messages 


keepalive 10 120 


# Don’t bind cto Ene local address and port, i.e. don't 
Wale for Incoming 
# connections 


ihe eubinel 


# User the OpenVPN daemon should run as 
User OPenvEd 
# Group the OpenVPN daemon should run as 


group openvpn 


Listing 15. Make sure that the configuration matches the server configuration 


You can USE ipseccti(s) (Atto:/Wwww.openbsd.org/cgi-bin/ 
man.cgi?query=ipsecctl&sektion=8) to verify that SAs are 
correctly synchronized between the IPsec gateways. Finally, 
if everything is working fine, we only have to add the following 
variable to the /etc/rc.conf.1local(s) (Attp:/www.openbsd.org/ 
cgi-bin/man.cgi?query=rc.conf.local&sektion=8) file to 
automatically start sasyncas) (http:/www.openbsd.org/cgi- 
bin/man.cgi?query=sasyncd&sektion=8) on boot. 


/etc/rc.conf.local 


sasyncd flags="" 


# Directory £O chroot to after initialization 


chroot /var/empty 


# Don't re-read key files upon receiving a SIGUSRI1 
Signal 

persist-key 

# Don't close and reopen the tun(4) device upon 
receiving a SIGUSR1 signal 


persist-tun 


# Path to the CA certificate 

ca /etc/openvpn/ca.crt 

# Path to the client's certificate file 

cert /etc/openvpn/vpn2.kernel-panic.it.crt 

# Path to the private key file 

key /etc/openvpn/private/vpn2.kernel-panic.it.key 


# Require that the peer certificate has the nsCertType 
field set to 'server' 

Dee eCGeee Oe roe G16 

# Use 1zo compression to reduce network utilization 


Compal Z6 


# Uncomment to periodically write status information 
to the specified file 

#status /var/log/openvpn-status.log 

# Uncomment to raise verbosity level for debugging 


#vVerD 11 
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Note 

sasynca(s) (http:/www.openbsd.org/cgi-bin/man.cgi?query 
=sasyncd&sektion=8) must be manually restarted every 
time isakmpa(s) (http:/www.kernel-panic.it/cgi-bin/man.cgi 
?query=isakmpd&sektion=8) is restarted. 


OpenVPN 

OpenVPN (http:/www.openvpn.net/) is a_ full-featured 
SSL VPN which implements OSI layer 2 or 3 secure 
network extension using the industry standard SSL/ 
TLS protocol, supports flexible client authentication 
methods based on certificates, smart cards, and/or 
username/password credentials, and allows user or 
group-specific access control policies using firewall rules 
applied to the VPN virtual interface [OVPN-HOWTO] 
(http://www.openvpn.net/index.php/open-source/ 
documentation/howto.html). |Its cross-platform portability, 
renown security and ease of use have made OpenVPN 
one of the most popular VPN solutions today. 


Listing 16. Creating and configuring the tun(4) network device 
and setting up the appropriate routes to the remote network(s) 
and hosts 


VPN1# ifconfig tun0 create 

VENI ieeconng tun0 103070 e1 0.0.0.2 netmask Uxtrerranc 
WENT Goute add 192,7168.20.0724 10.0.0 22 

VENI rouce add 897 166 i024 A000. 


VPN2# ifconfig tun0 create 
VENZS = reonng tun) 1070 9022 000. nets Uxbri rene 
WEN2# Pole add vil 72-16.070724 2020021 


Listing 17. Creating an RSA authentication key for the user with 
the ssh-keygen(1) 


VPN2# ssh-keygen -b 2048 -t rsa 
Generating public/private rsa key pair. 
Enter file in which to save the key (/root/.ssh/id_ 


rsa): <enter> 


Enter passphrase (empty for no passphrase): <enter> 

Enter same passphrase again: <enter> 

Your identification has been saved in /root/.ssh/id_ rsa. 

Your public key has been saved in /root/.ssh/id_rsa.pub. 

The key fingerprint is: 

6a. Ue sbi sa clo) (te72 9b Gea 74o de 10 ad sZae 
root@vpn2.kernel-panic.it 


VPN2# 
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Unlike IPsec, OpenVPN is not tightly integrated into 
the Operating System's kernel, but runs as a user-mode 
daemon and communicates with the TCP/IP stack via 
@ tun(4) (http:/www.openbsd.org/cgi-bin/man.cgi?query 
=tun&sektion=4) pseudo-device. Please refer to [OVPN- 
SEC2]_ (http:/Awww.openvpn.net/index.php/open-source/ 
documentation/security-overview.html) for a_ detailed 
overview of the OpenVPN protocol and security model. 

In the next paragraphs, we will implement the same 
VPN topology as in the previous chapter, though replacing 
IPsec with OpenVPN. The VPN1 machine will act as the 
server and wait for incoming connections from VPN2. 


Installation and configuration 

OpenVPN _ installation simply requires adding 
a couple of packages (http:/www.openbsd.org/fag/ 
faq15.html#Pkg/nstall) on both server and client(s): 


 Igo=“x.tgz 


° openvpn-x.x.tgz 

Setting up the PKI 

The first step in configuring OpenVPN is to set up the 
Public Key Infrastructure, by creating: 


¢ aroot CA certificate and private key; 

¢ acertificate and private key for the OpenVPN server; 

¢ a separate certificate and private key for each client 
that will connect to the VPN. 


The CA private key will be used to sign the server and 
client certificates; this will allow the two VPN endpoints to 
mutually authenticate each other simply by verifying the 
CA signature of the other party's certificate, without having 
to previously know any other certificate but their own (see 
[OVPN-PKI]] (htto://www.openvpn.net/index. php/open- 
source/documentation/howto.html#pki) for further details). 

OpenVPN provides a set of scripts, located in /usr/1oca1/ 
share/examples/openvpn/easy-rsa/2.0/, that greatly simplify the 
process of creating and managing the PKI. These scripts 
require, aS a preliminary step, that you initalize a bunch of 
parameters in the vars file with your organization's data, to 
avoid being prompted for the same information every time 
you create a new certificate: see Listing 10. 

Now, after sourcing the vars file, you can initialize 
the PKI by building the Diffie-Hellman parameters and 
creating the root CA certificate and key: see Listing 11. 

The next step is creating the certificate and key for the 
VPN server: see Listing 12. 

Next, we will use the pkitool utility to generate as many 
client certificates as we need: see Listing 13. 
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So we have generated all the certificates and keys we 
need; you can find them in the /usr/1ocal/share/examples/ 
openvpn/easy-rsa/2.0/keys directory, ready to be copied 
to the appropriate machines. But before proceeding to 
copy the key files, we need to create, on both server and 
clients, the directory (/etc/openvpn/private) that will contain 
the private keys and assign it restrictive permissions to 
prevent unauthorized access. 


# mkdir -p /etc/openvpn/private 
# chmod 700 /etc/openvpn/private 


The following are the files that must be copied from the 
CA-signing machine to the OpenVPN hosts: 


¢ the ca.crt file (the CA certificate) must be copied to 
the /etc/openvpn directory of all the machines (server 
and clients); 

e the ca.key file (the CA private key) must reside only on 
the key-signing machine; if you want the OpenVPN 
server to act also as the CA, just move this file to the 
/etc/openvpn/private/ directory of the server machine; 

¢ the an1024.pem file (the Diffie Hellman parameters) must 
be placed in the /etc/openvpn directory of the server 
machine; 

¢ the remaining .crt and .xey files (i.e. the certificates 
and private keys of the server and the clients) must 
be copied to the respective machines; private keys 
must be stored in /etc/openvpn/private and certificates 
should reside in /etc/openvpn. 


Finally, remember to delete all the files in /usr/1ocai/ 


share/examples/openvpn/easy-rsa/2.0/keys/: 
# ./clean-all 


Server configuration 

OpenVPN supports a number of configuration parameters, 
allowing you to deeply customize its behaviour. These 
parameters can be either passed from the command- 
line or in a configuration file. Omitted parameters take the 
default value. 

Below is a sample configuration file (see [OVPN-MAN] 
(http://www.openvpn.net/man.html) for a complete list of 
all the available parameters): see Listing 14. 

The client-config-dir directive in the server configuration 
file allows you to specify a directory containing client- 
specific configuration files. These files must have have the 
same name as the client's X509 Common Name, specified 
during the creation of the certificates. In this case, we will 
create a file named /etc/openvpn/ccd/vpn2.kernel-panic.it, 
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which will specify which private networks can be reached 
through the OpenVPN client: 


/etc/openvpn/ccd/vpn2.kernel-panic.it 
ipoube: 1974166.0.0. 255.255.255.0 
ivoute: 192 c16G.1.0 255.255.2550 


Though very similar, both the and 
directives are necessary, because route controls the 
routing from the kernel to the OpenVPN server (via 
the tun(4) = (Attp://www.openbsd.org/cgi-bin/man.cgIi? 
query=tun&sektion=4) interface) while iroute controls the 
routing from the OpenVPN server to the remote clients 
[OVPN-HOWTO] (http://www.openvpn.net/index.php/ 
open-source/documentation/howto.html). 


route iroute 


Client configuration 

The client-side configuration is pretty similar to server-side 
configuration. The address and port of the server are specified 
via the remote directive. Make sure that the configuration 
matches the server configuration, in particular that they both 
use the same protocol, device type and that they both enable 
or disable Izo compression (see Listing 15). 


Starting the VPN 

Before starting the VPN, we have to enable IP forwarding 
on both gateways, since they will have to perform routing 
of network traffic: 


# sysctl net.inet.ip.forwarding=1 
Uncomment the following line in /etc/syscti.coné(5) (Attp:// 


www.openbsd.org/cgi-bin/man.cgi?query=sysctl.cont&s 
ektion=5) to re-enable IP forwarding after reboot: 


Listing 18. Making sure that this file has restrictive permissions 


VENI (Cae aucnoriZed keys 

ssh-rsa AAAAB3NzaClyc2EAAAABIWwAAAQEAOWGLowpgL5j 3d1Ftdy 
WI+cc72F/FtMhmTBLUECCMQQy8 

/V9CptSn7yCC+1R5xhZD8WO3d11c7R8pUHPP7 7A30mFruEpk4pREui 
sHnMtA6XyVFoxshhVlosyoQ/HJ 

w6BhTmmGDCCyNsPmQyAP1i9V7rL4NNS1116mFXqLDNthowf0qj]033BU 
RsyKRoxxmt5QBhDpCBDel 3EwLh 

gE27y06XJZKa62/WU60fbnXZWwGX8ZsbCPxqqu3EOBhMwlUgAlIgks 
GfOcB4rgV+qpcPUL3£QM67Mc7 

Nwhh7jgkaCTpu/vs40pBFt6j 9eVxMgRGylg4a9tBcZY2588wPZZThp 
x/Ssw== root@vpn2.kernel-pa 

PC eae 
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/etc/sysctl.conf 


net.inet.ip.forwarding=1 


So we're ready to start the VPN! Just run the following 
command on the server: 


vpnl# openvpn --config /etc/openvpn/server.conf 

and the following on the client: 

vpn2# openvpn --config /etc/openvpn/client.conf 

To finish, we just have to create the configuration file 
for the tun(4) (htto://www.openbsd.org/cgi-bin/man.cgIi? 
query=tun&sektion=4) interface on the server (starting 


OpenVPN from this file improves compatibility with PF): 


/etc/hostname.tun0 


up 
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!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/ 


server.conf 
and on the client: 


/etc/hostname.tun0 
up 
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/ 


client.conf 


OpenSSH 

OpenSSH (http:/www.openssh.org/) is a FREE version of 
the SSH connectivity tools developed by the OpenBSD 
project (http:/‘www.openbsd.org/). It certainly needs 
no introduction as it has now grown into the de facto 
standard for secure console access over the Internet, 
widely supplanting the infamous + commands. 

Beginning with version 4.3 (http://www.openssh.com/ 
txt/release-4.3), OpenSSH also provides secure VPN 
tunneling capabilities at both layer 2 and layer 3 of the 
OSI model, by using the tun 4) (http: /www.openbsd.org/ 
cgi-bin/man.cgi?query=tun&sektion=4) pseudo-device to 
encapsulate network traffic within SSH packets. 

Of the VPN solutions we've seen so far, OpenSSH- 
based VPNs are by far the simplest to use and the fastest 
to implement; however, they also imply a considerable 
overhead. As a consequence, the documentation (http: 
//www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektio 
n=1&format=htmlHESSH-BASED+VIRTUAL) warns _ that 
OpenSSH VPNs may be more suited to temporary setups, 
such as for wireless VPNs, and recommends the use of 
IPsec (http://www.kernel-panic.it/openbsd/vpn/vpn2.html) 
for more permanent VPNs. 


Configuration 
We will configure the same VPN topology (hitp:/ 
www. kernel-panic.it/openbsd/vpn/vpn3.html#vpn) as_ in 
the previous chapters; the VPN1 machine will act as the 
OpenSSH server, waiting for connections from VPN2. 
First off, we need to enable tunneling support on the 
OpenSSH server, since this feature is disabled by default. 
This is achieved by setting the rermitrunne1 parameter in 
/etc/ssh/sshd_config(5)  (http:/Awww.openbsd.org/cgi-bin/ 
man.cgi?query=sshd_config&sektion=5) to ethernet OF 
point-to-point, depending on whether you want the VPN 
to operate, respectively, at layer 2 of the OSI model, layer 
3 or both. 


/etc/ssh/sshd_config 
iC tee 
# Enable layer-3 tunneling. Change the value to 'ethernet' 
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for layer-2 tunneling 


PermitTunnel point-to-point 


On the client side, the runne1 parameter, in /etc/ssh/ 
ssh_config(5) (http://www.openbsd.org/cgi-bin/man.cgi? 
query=ssh_config&sektion=5), must be set to the same 
value aS permitTunne1 ON the OpenSSH server: 


/etc/ssh/ssh_contfig 
[| eee J 


# Enable layer-3 tunneling. Change the value to 'ethernet' 
for layer-2 tunneling 


Tunnel point-to-point 


Next, we need to enable IP forwarding on both VPN 
gateways, since they will have to perform routing of 
network traffic: 


# sysctl net.inet.ip.forwarding=1 


Uncomment the following line in /etc/syscti.coné(5) (Attp:/ 
/www.openbsd.org/cgi-bin/man.cgi?query=sysctl.cont&s 
ektion=5) to re-enable it after reboot: 


/etc/sysctl.conf 


net.inet.ip.forwarding=1 


And the configuration phase is over: how could it be 
easier? Now we only have to force ssna(s) (http:// 
www.openbsd.org/cgi-bin/man.cgi?query=sshd&se 
ktion=8) to reread its configuration file by sending it 
a SIGHUP signal: 


VPN1# pkill -HUP sshd 


Starting the VPN 
Before actually firing up the VPN, we will carry out a couple 
of preliminary steps on both the OpenSSH server and 
the client, i.e. creating and configuring the tun(4) (http:/ 
www.openbsd.org/cgi-bin/man.cgi?query=tun&sektion=4) 
network device and setting up the appropriate routes to 
the remote network(s) and hosts (see Listing 16). 

Well, we're finally ready to initiate the ssni1) (http:/ 
www.openbsd.org/cgi-bin/man.cgi?query=sshé&sektio 
n=1) connection and establish the VPN tunnel. The -+ 


Bibliography 
VPNs Illustrated: Tunnels, VPNs, and IPsec, Jon C. Snader, Addi- 
son Wesley, 2006 
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option requests ssh(1) (http:/www.openbsd.org/cgi-bin/ 
man.cgi?query=ssh&sektion=1) to go to background after 
prompting for the password, and the -w option specifies 
the numerical ID of the tun(4) (htto:/Wwww.openbsd.org/ 
cgi-bin/man.cgi?query=tun&sektion=4) device in charge 
of forwarding VPN traffic; in our setup, we're using tuno on 
both client and server, so we will set this option to o:o. 


VPN2# ssh -f -w 0:0 1.2.3.4 true 
root@VPN1's password: pAssWOrd 


Finishing touches 

To finish, we will configure the client machine to 
automatically start the VPN on boot. To prevent the system 
from hanging during startup until the user enters the 
password, we need to create an RSA authentication key 
for the user with the ssn-keygen (1) (http:/Awww.openbsd.org/ 
cgi-bin/man.cgi?query=ssh-keygen&sektion=1) utility: see 
Listing 17, and add the newly-generated key, contained in 
/Loots .e8n/id rsa. pub, to the authorized keys IN /root/.ssh/ 
authorized keys On the server; please make sure that this 
file has restrictive permissions (600): see Listing 18. 

Next, on the server side, we need to create the configuration 
file for the tun(4) (http:/www.openbsd.org/cgi-bin/man.cgi 
?query=tun&sektion=4) pseudo-device, /etc/hostname.tund, 
which will also include the necessary static routes: 


/etc/hostname.tun0 

10:°.0.0.1 1020.0.2 netmask Oxtrtttric 

'route add 192.168.0.0/24 10.0.0.2 >/dev/null 2>é1 
'route add 192.168.1.0/24 10.0.0.2 >/dev/null 2>é&1 


Similarly, on the client side, we will create the /etc/ 
hostname.tun0 configuration file : 


/etc/hostname.tun0 
10.0.0.2 10.0.0.1 netmask Oxfffffffc 
lroute add 172.16.0.0/24 10.0.0.1 >/dev/null 2>é61 


but also add the VPN start command in /etc/rc.1ocal(8) 
(http://www.openbsd.org/cgi-bin/man.cgi?query=rc.loca 
[&sektion=8). 


feces roc local 

; eee | 

echo -n ' OpenSSH-VPN' 
/usr/bin/ssh -f -w 0:0 1.2.3.4 


true 


DANIELE MAZZOCCHIO 


Latest version: http://www.kernel-panic.it/openbsd/vpn/ 
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Closed-source and 


unsupported drivers with FreeBSD 


Sooner or later you come to a conclusion that you need to 
have an enhanced mobility throughout your home place. 
And you decide to purchase an Wi-Fi card and put it into 


a home gate-keeper. 


What you will learn... 
¢« How to perform a bare metal installation of FreeBSD with ne- 


o you know about troubles that could bring Trivia 


What you should know... 
- How to patch, upgrade and install ports, initially configure Apa- 
tworking enabled etc. che, PHP, MySQL and Drupal) 


this simple transaction like WiFi network card Some might ask — is it necessary to buy a WiFi-card 
purchase? instead of a simple AccessPoint (AP)? At first glance you 


Listing 1. My home router runs a stable release of FreeBSD 6.2 


S uname -a 


FreeBSD bridge2 6.2-RELEASE FreeBSD 6.2-RELEASE #3: Mon Aug 4 17:28:07 MSD 2008 


src/sys/bridge2 1386 


Listing 2. A new WiFi card isn't identified correctly by FreeBSD 


PeDemcCon ie —ihy 
xlOCperls 4:0: class=0x020000 card=0x100010b7 chip=0x920010b7 rev=0x78 hdr=0x00 


vendor = '3COM Corp, Networking Division' 
device = '3C905C-TX Fast EtherLink for PC Management NIC' 
class = network 


subclass = ethernet 


COC ecm ss 20' class=0x020000 card=0x813910ec chip=0x813910ec rev=0x10 hdr=0x00 


vendor = 'Realtek Semiconductor' 
device = 'RT8139 (A/B/C/810x/813x/Ct+) Fast Ethernet Adapter' 
class = network 


subclass = ethernet 
none0@pcil:10:0: class=0x028000 card=0x3a711186 chip=0x03021814 rev=0x00 hdr=0x00 
vendor = 'Ralaink. Technology, Corp! 


class = network 


anton@bridge2:/usr/obj/usr/ 
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Listing 3. /t seems that no wireless driver has been found for 
anew card 


Somidcinat 
Id Refs Address Size Name 
il 33 UxcU400000-7Zabal kernel 


2 i OxceOo sV000 59520 accor. KO 

3 1 0xc2409000 6000 Ibshiaye wiereibs |e) 
- 2 Oxc241c000 16000 ee a © 

5 1 0xc2456000 2a000 Tp ke 

6 in OxeZoadv 0053000 NG pbraces KO 

: I Oxe2 sbsoo00 6000 ng ppp.ko 

8 iOxeZ7 Nev 002000 Stadt jsdver. ko 
9 DP Oxez 7450007 2000 ie Ga) <6 
al 1 Oxc2a29000 4000 MG ePPpLpg wes ke 
i 1 Oxc2azd000 4000 Mey ks@ckerake 
WZ 1 Oxc2a33000 4000 NG LV jes ke 
iS Ie Oxe7 as S000 2000 Ng Nepilss = ke 
14 tPOxeZasoode: 3000 ng mppc.ko 
ake) 1 OxcZa3e000 2000 rc4.ko 


Listing 4. Grepping through a kernel sources can give us a hint 


Sel 7 UISic/ Sige Sys LG) ee ials / 
S cat m-gw | egrep ral 


# SCSI peripherals 


device agp # support several AGP chipsets 


# Parallel port 


device ppbus # Parallel port bus (required) 
device plap # TCP/IP over parallel 
device jeje # Parallel port interface device 


# If you've got a "dumb" serial or parallel PCI card that is 


can figure out that there exist the fine models of ADSL- 
modems with wireless capabilities and that could work as 
AP. However, it should be noticed that: 


a) not all home connections to an Internet-provider go 
through a copper like phone- or cable-line; 

b) you simply need to add a WiFi-capability to an already 
working gate; 

c) a WiFi-card itself costs several times cheaper of AP. 


Okay, you've crawled through hardware specifications 
available onsite, pros and contras of different models 
from different manufacturers (D-Link, ASUS, TrendNet, 
Edimax, etc.). And eventually come to a_ simple 
conclusion — although there exist several independant 
NIC manufactures, the most important about the WiFi- 
card is an WiFi-chip that used inside — it doesn't matter 
how your WiFi-card is labeled actually. Quite possibly 
they might be having the same WiFi chip. So you decide 
to skip that fancy feature like a guaranteed speed of 
108 Mbit/s, and 801.11n specification and bought, for 
example, a budget card — D-Link pwa-sio. Luckily, it 


device fecal # Ralink Technology RT2500 wireless NICs. 


device tal # Ralink Technology RT2500USB wireless NICs 


Listing 5. /t's always advisable to have kernel sources installed so you can figure out what exactly is supported (IDs are marked with bold) 


© cd /ust/src/sys/dev/ ral 
Cou dt ral pcr. 6 {|e rep Gxis 14 
{ Oxlol4,  0x02015— "Balink Technology RiZ5cG0™ \; 


Listing 6. Kernel from a vanilla FreeBSD 6.2 doesn't have a clue about our card (ID is marked with bold) 


none0@pcil:10:0: class=0x028000 card=0x3a711186 chip=0x03021814 rev=0x00 hdr=0x00 
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Listing 7. Conversion process with ndisgen utility 


This script 1s designed to guide you through the process 
of converting a Windows(r) binary driver module and .INF 
specification file into a FreeBSD ELF kernel module for use 
with the NDIS compatibility system. 

The following options are available: 

1] Learn about the NDIS compatibility system 

Convert individual firmware files 


Convert driver 


fs Gel [SS 


joy eile 


Driver file conversion 
The script will now try to convert the .INF and .SYS files 
Using Ene ndeseyutl) wit iibiiy. Tas sibility canswhandle mos: 
.INF files; however, occasionally it can fail to parse some files 
due to subtle syntax issues: the .INF syntax is very complex, 
and the Windows(r) parser will sometimes allow files with small 
Syntax errors to be processed correctly which ndiscvt(1l) will 
not. If the conversion fails, you may have to edit the .INF 
file by hand to remove the offending lines. 
Press enter to try converting the files now: 
Conversion was successful. 


Press enter to continue... 


Kernel module generation 
The script will now try to generate the kernel driver module. 
This is the last step. Once this module 1s generated, you should 
be able to load it just like any other FreeBSD driver module. 
Press enter to compile the stub module and generate the driver 
module now: 
Generating Makefile... done. 
Building kernel module... done. 
Cleaning up... done. 
Die fle neoljseys kemias been suceessnully weneravcd. 
You can kldload this module to get started. 


Press return to exit. 
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can be put into a MiniPC slot (comes as low profile 
card) — so it must the right thing for a home router. D- 
Link claimes that the card is compatible with 802.11b/ 
g standard and drivers for Windows/Linux operating 
systems only are offered. But let's hope it will work 
with FreeBSD as well. Because my home router runs 
FreeBSD and | don't feel comfortable with changing it 
onto another OS. 

Moreover, | don't think serously about upgrading this 
version of FreeBSD at my home router. It is stable, quick 
in performance and does all necessary home network 
chores. Next step | do — power off the system in order to 
plug-in the new WiFi card and after that | switch 


Windows XP by means of designed and implemented 
Network Driver Interface Specification (NDIS). So it might 
be a magic stick for our need. 

In Linux it is Known as ndiswrapper, while in FreeBSD it 
appears as NDISulator. Being first introduced by Bill Paul 
in FreeBSD 5.3. 

So, there are to ways to generate a kernel driver for 
FreeBSD from a binary PE-driver for Windows XP. First 
one — is to use ndiscvt (old method), or ndisgen (for 
FreeBSD versions 6.0 and higher). 

Before actual conversion process we need to download 
Windows XP drivers from Ralink site — section Support- 


on FreeBSD box. Unfortunately, no new network 
interface has been found. 

Well, it's obvious that unknown card mapped 
as none0@pci71:10:0 is our D-Link DWA510. 


manufacturer. This is a Ralink company. Better 
than nothing. Our next step is to figure out 
what's wrong. Are there all drivers loaded during 
a bootup process? 


make 


Grepping the kernel 

Nothing like the raio or atno is loaded. And 
although almost all WiFi-cards from a consumer 
market (according to a statistics) are based on 
chips manufactured by Ralink, Atheros and 
Marvell (Intel and Broadcom aren't taken into 
account as they operate in a hi-end market 
segment) — we hit the wrong turn. Let's make 
a more loose search in kernel sources — but 
now we know what we're looking for — string 
Ralink. 

Grepping through a kernel configuration gives 
us the following: see Listing 4. 

It seems that there is a support for Ralink- 
based cards. But apparently, our new card is 
a bit new. But what exactly cards are supported 
in this version of FreeBSD? 

Yes, it's true. The only cards that can be 
initialized properly for this FreeBSD release, are 
based on chips that identified as RT2560 (1p = 
0x0201). Compare this string with pciconf output: 
see Listing 6. 

Should we give up? Don't panic! 


ave niles O)- 


ndis0: 


space 


Convert Windows XP driver 
and use NDISulator 
We know that FreeBSD and Linux share the 


Listing 8. /t is possible to use ndiscvt utility as well 


eG 7 Usie/ See S/S) Mogul es) im es 
7 (CD / Gi Ver veal ith NIE Sy 
The only thing we know — the WiFi-chip | # cp ~/driver ralink/*sys ./ 
jg Wleblisle ae al NietelucO NG ONG Seo cee ssys) or ales) elgiiwesa elenecl, la 
# 


Listing 9. Windows XP converted module is detected as ndisO interface 


# RIdlOad 7/ reol  sys.ko 
# dmesg | grep ndis 
ndisO: <D-Link Wireless G DWA-510 Desktop Adapter> mem 0xe5000000- 


NOLS APL versione 5.0 
Bthernet. address: 00221:91:22:9f:20 


Listing 10. Available working modes via NDIS interface 


# ifconfig -m ndis0 


supported media: 


Listing 11. The native backported driver is successfully loaded into a kernel 


ral0: <Ralink Technology RT2561> mem Oxe5000000-Oxe5007fff£ irg 5 


ral0: MAC/BBP RT2561C, RF RT2527 
ral0: Ethernet address: C0721: 91:22:92 220 


Oxe5SO007fit£ org 5 at device 10.0 on peil 


media OFDM/48Mbps mode autoselect mediaopt adhoc 
media OFDM/48Mbps mode autoselect 
media OFDM/24Mbps mode autoselect mediaopt adhoc 
media OFDM/24Mbps mode autoselect 


media OFDM/12Mbps mode autoselect mediaopt adhoc 


media OFDM/12Mbps mode autoselect 


at device 10.0 on pcil 


same capability — to load binary drivers from 


www.bsdmag.org 
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>Windows. We are only interested in archive for PCI/ 
mPCI/CB (RT256x/RT266x). 

Okay, we have download and unpacked the archive. 
Let's get started with cooking the driver. Run ndisgen. 

We step through a step 3) and finally the kernel driver 
for FreeBSD is here. Alternatively, we could use the 
second way, i.e. converted using ndiscvt utility (see 
Listing 8). 

Back to our console — we got if ndis.ko, and we need to 
reboot a system in order for this kernel driver being loaded 
by ndis-module. 

But first, let's load it into a memory and see whether the 
card works. 

Looks like our card is detected properly at last. Now we 
can list modes list that can be applied to this WiFi NIC. 

As we can see, the mode AccessPoint is missing. 
Although it isn't listed we can force it to be used — run 
ifconfig command as follows: 


# ifconfig ndisO ssid my net media OFDM/48Mbps mode llg 
mediaopt hostap up 


Listing 12. We have all modes supported by native driver 


# ifconfig -m ral0 


inet. LO-L0 1 Ww netmask UxPErrrev0 broadcast 10210. 14.255 
etmner 0071: 91222795 :20 


<Nesitape 
status: associated 
supported media: 
media OFDM/54Mbps mode autoselect mediaopt monitor 
media OFDM/54Mbps mode autoselect mediaopt hostap 
media OFDM/54Mbps mode autoselect mediaopt adhoc 


media OFDM/54Mbps mode autoselect 


Listing 13. Xxxxxxxx 


Ma oloy srilemma-wA) 


ether U0r21: 901322: OF20 
<hostap> 
Sbacus: assoclaved 


Se le iyane wee wamie lee Vosisacl OO ei 7b 0 


dtimperiod 1 bintval 100 


ral0: flags=8843<UP, BROADCAST, RUNNING, SIMPLEX,MULTICAST> mtu 1500 


media: IEEE 802.11 Wireless Ethernet OFDM/48Mbps mode 11g 


‘arcu Oe flags=8843<UP, BROADCAST, RUNNING, SIMPLEX, MULTICAST> mew S00 
inet LOO. L0l! netmask OxrE000000 broadcast: 10,255.255.7255 


media: IEEE 802.11 Wireless Ethernet OFDM/48Mbps mode 11g 


authmode OPEN privacy OFF txpowmax 100 bmiss 7 protmode CTS 


Here we set our network name aS my_ net, chose 
to use high-speed connection mode — substring 
media OFDM/48Mbps 11g, and as a last option we 
force network interface to be used as AccessPoint — 
parameter hostap. 

Well, that's pretty a long way. Praps the easy way is 
to install a modern version of FreeBSD, because we 
know that this D-Link DWA-510 card is supported there? 
Alas, you can't always change a working and stable 
environment onto something else, even if you quite sure 
that some subsystems are really outdated. 


mode 


Is there a backport driver? 

Anyway, we can continue working with naiso interface 
without any problem. But there exist a little hope — it is 
known fact that the structure of the drivers, and the kernel 
itself does not change drastically with near releases, for 
instance 6.0 and 7.0. 

So there is a little chance that someone made 
a backport of this driver from FreeBSD 7 to FreeBSD 6. 
Let's ask Google. 

Indeed, after a long search we could find 
a patch [4]. Continue? Sure! 

Copy it to /usr/src/sys location and apply the 
patch: 


# patch -p0 <if_ral.diff 
Now we need to compile ral-driver. 


# cd /usr/src/sys/modules 


+ make yal 


Driver is ready. By default this ral-driver is 
included into a kernel. That's why we need 
to comment it in a kernel configuration, and 
afterthat recompile kernel. Only after you have 
installed a kernel into /pboot directory you can 
test driver with kldload command: 


# kldload if ral 


Tracing the logs give us the following message: 
see Listing 11. 

That's very nice, because we have now the full 
range of supported modes: see Listing 12. 

SO we can easily start the network interface 
ral. 


# ifconfig ral0 ssid my net media OFDM/48Mbps 


mode llg mediaopt hostap 10.10.10.1 up 
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On the 'Net 


http://www.thejemreport.com/content/view/293/ [1] 
http://brainstorm.name/archives/33 [2] 

http://www. freebsd.org/doc/en/books/handbook/config- 
network-setup.html [3] 
http://samodelkin.net/~fjoe/if_ral.diff [4] 


Aloha! The wireless network is here! (see Listing 13) 
Before actual reboot we need to include the following 
string INtO /boot/ loader.conf: 


if ral: load = "YES" 


And apply several security features, for example, start 
daemons that will perform WEP- or WPA2-encryption. 


Conclusion 

Whilst we choose FreeBSD for it's known stability and 
performance, there are chances that not all hardware 
devices are supported. And you'll be facing a problem 
— whether to stay with it, kick an upgrade process, or 
simply move onto another operating system. Undoubtly, 
the evolution even with operating systems is great. But 
sometimes, you have no ability to change a thing — and 
you will need to figure out how to run unmaintained 
or even closed-source drivers. In this case, using the 
drivers from Windows XP with NDIS emulator can be 
a solution. 


ANTON BORISOV 

The very first Anton's experience with UNIX was FreeBSD. It was 
TWM, wget and Netscape Communicator. Many things have 
changed greatly since then, but a true simplicity remained 
unchanged - The Power to Serve. That's why the author prefers 
to delegate several network functions to FreeBSD) 
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LET’S TALK 


|.T. certifications 


and the value | got in it 


After graduating college, | have created an account for an 


online resume publishing site. 


pon creating my online resume, | stumbled on 
a field asking for IT certifcations. At that point, | 

have nothing to type in that field. | wasn’t even 
aware that |.T. certification(s) would be something to put 
on a resume. So | left the field blank and completed my 
online resume. 

A couple of years passed after my resume has 
been uploaded, | haven't got any emails or calls from 
employers using the online resume publishing site. | think 
there’s something missing. | need to stand out and my 
resume should be browsed by potential employers for 
consideration in their job postings. 

| have searched and looked at I.T. certifications from 
different vendors and technologies and | decided | 
would want to get one. Since the company | worked 
for uses different distributions of Linux, a certification in 
Linux must be the first | should get. | have used many 
resources studying the Linux systems, from online and 
printed materials to blogs and tutorials. | also used 
online practice tests to see my familiarity and mastery of 
the topics. When | was ready, | have signed up for LPI 
101 examination and | passed it. Then | took LPI 102 and 
passed it too. This time, | was awarded with the LPIC-1 
certification. 

Upon receiving my certificate, | immediately updated 
my online resume to put my LPIC-1 in the IT certification 
field. After a few days, | have received a couple of 
emails from the site, which contains a list of employers 
viewing my resume. Indeed my IT certification caught 
the attention of employers and that | am now gaining 
value. 

| wasn’t satisfied with one certification and | went 
on to take SCJP from Sun Microsytem. | passed 
the examination and updated my online resume. As 
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expected, | received emails about job posting. | also 
now get a lot of phone calls from employers saying that 
We have viewed your online resume, would you like to 
consider an interview for the position.....?. This has been 
very fulfilling for me. 

Having a certification is very rewarding personally and 
professionally. It is some form of self-accomplishment. 
First of all, you learn a lot of things by studying, practicing, 
and making your way through the exam objectives. | for 
myself, learned a lot from the preparations/reviews | did 
for my exams. The things | learned were not day-to- 
day topics. Instead, they were advanced topics ranging 
from the internals, concepts, and applications. | was a 
Linux user before my certification, and | became a Linux 
Power user after | achieved it. 

The skills | learned from LPIC-1 were my very 
foundations for studying and using the FreeBSD 
operating system. Although Linux and FreeBSD have 
their differences, they have something in common, and 
that is their UNIX roots (made to act, and based on 
UNIX, respectively). 

| read new study materials from time to time, as to keep 
my skills fresh. | know for a fact that one could get rusty 
if one does not use the skills gained. So being certified in 
one technology does not mean you are a master of that 
particular technology. One should update his/her skills by 
reviewing the topics and studying the advancements in 
that technology. 

I’m looking forward to take the BSDA examination 
next. But according to them, BSDA\is available at events 
and other conferences as for the time being, they have 
not tied up with Prometric and VUE for examination 
delivery. I’m looking forward to make my skills and 
knowledge in FreeBSD go deeper and improve. And | 
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I.T. certifications and the value | got in it 


hope one day, | could take the BSDA examination and 
pass it. 

Certification alone is NOT enough (my personal opinion) 
to be productive and competitive. In today’s highly 
competitive market, you have to be highly skilled and 
experienced. Having certification(s) does not guarantee 
you on landing on a good high paying job, but it makes 
your chance higher than other job seekers. In my point 
of view, I.T. certification(s), proven skills, and experience 
are the pieces that will give you the edge in today’s job 
market. 


JOSHUA EBARVIA 

Joshua Ebarvia is a java programmer, systems administrator 
and college lecturer. His passion is working and using operating 
systems specially UNIX-based and UNIX-cloned systems. You can 
reach him at joshua.ebarvia@gmail.com 
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Tired of being able to choose from only chocolate, strawberry, 
or vanilla? At iXsystems, we understand your need for custom- 
made servers. 


“Open Source Hardware Design” is the iXsystems trademark. iXsystems provides an 
assortment of pre-configured servers and storage solutions, but our true pride rests on 
our ability to customize our products to meet your specific tastes and needs. iXsystems 
mixes in the raw power of Intel® Xeon® 5600/5500 Series Processors for a truly delicious 
treat. Our Professional Enterprise Service Level packages and desktop support offering 
also enables us to ensure you get the most from your FreeBSD® and PC-BSD® systems, 
adding the perfect toppings to your order. 


Call iXsystems toll free or visit our website today! 
+1-800-820-BSDi | www.iXsystems.com 
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a= = = ~ 


High-Density 
Storage Solutions 


=a = 
= 
a = 


Open Source 
Configurations 


ee 


Powertul. 
Intelligent. 


= 
Pe = = = 


=. 


1 
. 
I 
! 

t 


